[英]isValid() method in owasp html sanitizer
I have a page in my application where user can enter HTML input. 我的应用程序中有一个页面,用户可以在其中输入HTML输入。 Now in order to avoid XSS attack i am using OWASP HTML Sanitizer to sanitize the user input. 现在,为了避免XSS攻击,我正在使用OWASP HTML Sanitizer来清理用户输入。 If the user input is not valid according to the policy i just want to throw the user out. 如果根据政策用户输入无效,我只是想把用户赶出去。
is there a way to simple check if the input html is valid against the policy without sanitizing ? 有没有一种方法可以简单地检查输入的html是否对策略有效而不进行消毒?
something like 就像是
public static boolean isValid(String input, Policy policy); public static boolean isValid(String input,Policy policy);
You can define yourself the isValid
method but I'm not sure you can do it without calling the sanitize method. 您可以定义自己的isValid
方法,但不确定在不调用sanitize方法的情况下是否可以这样做。
// Define the policy factory
PolicyFactory polFac = new HtmlPolicyBuilder()
.allowElements("a", "p")
.allowAttributes("href").onElements("a")
.toFactory();
boolean isValid(String input, PolicyFactory polFac){
return input.equals(polFac.sanitize(input));
}
You can obtain a more robust version of isValid
using the second version of the sanitize
method (in the PolicyFactory
class) that reports the names of rejected element and attributes. 您可以使用第二个版本的sanitize
方法(在PolicyFactory
类中)获得isValid
的更强大版本,该方法报告拒绝的元素和属性的名称。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.