owasp html清理程序中的isValid()方法
[英]isValid() method in owasp html sanitizer
问题描述
I have a page in my application where user can enter HTML input. 
我的应用程序中有一个页面,用户可以在其中输入HTML输入。 Now in order to avoid XSS attack i am using OWASP HTML Sanitizer to sanitize the user input. 现在,为了避免XSS攻击,我正在使用OWASP HTML Sanitizer来清理用户输入。 If the user input is not valid according to the policy i just want to throw the user out. 如果根据政策用户输入无效,我只是想把用户赶出去。
is there a way to simple check if the input html is valid against the policy without sanitizing ? 有没有一种方法可以简单地检查输入的html是否对策略有效而不进行消毒?
something like 就像是
public static boolean isValid(String input, Policy policy); public static boolean isValid(String input,Policy policy);
1 个解决方案
解决方案1
0 2014-11-20 17:12:52
You can define yourself the isValid method but I'm not sure you can do it without calling the sanitize method. 您可以定义自己的isValid方法,但不确定在不调用sanitize方法的情况下是否可以这样做。
// Define the policy factory
PolicyFactory polFac = new HtmlPolicyBuilder()
.allowElements("a", "p")
.allowAttributes("href").onElements("a")
.toFactory();
boolean isValid(String input, PolicyFactory polFac){
return input.equals(polFac.sanitize(input));
}
You can obtain a more robust version of isValid using the second version of the sanitize method (in the PolicyFactory class) that reports the names of rejected element and attributes. 您可以使用第二个版本的sanitize方法(在PolicyFactory类中)获得isValid的更强大版本,该方法报告拒绝的元素和属性的名称。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.