堆栈内存溢出
  简体   繁体   English

Java-Owasp Html Sanitizer显示URL的双重noopener noreferrer

[英]Java - Owasp Html Sanitizer shows double noopener noreferrer for url

 原文  2017-03-08 01:27:52       java/ owasp

问题描述

I have a url in String like following: 我在String中有一个网址,如下所示: 

"<a style=\"color: #800000; background-color: #ffcc00;\" title=\"Test12\" href=\"http://www.google.com\" target=\"_blank\" rel=\"noopener noreferrer\">www.google.com</a>"

After sanitized, my String become: 消毒后,我的String变成: 

"<a style="color: #800000; background-color: #ffcc00;" title="Test12" href="http://www.google.com" target="_blank" rel="noopener noreferrer noopener noreferrer">www.google.com</a>"

Please note that in the rel attribute it has double of noopener noreferrer noopener noreferrer 请注意,在rel属性中,它具有noopener noreferrer noopener noreferrer的两倍 

String [] allowElements = {"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt",
        "code", "big", "small", "br", "span", "em", "li", "ul", "ol", "a", "p", "target"};

String [] allowAttributes = {"style", "href", "target", "rel", "title", "_blank"};

 PolicyFactory policy = new HtmlPolicyBuilder().allowUrlProtocols("http", "https")
            .allowElements(allowElements)
            .allowAttributes(allowAttributes)
            .onElements(allowElements)
            .toFactory();

    final String sanitized = policy.sanitize(value);

    System.err.println(sanitized);

Why is that? 这是为什么?

1 个解决方案

解决方案1
 0  2017-03-14 18:51:37

You can use new HtmlPolicyBuilder().skipRelsOnLinks("noopener", "noreferrer"), which opts out of some of the DEFAULT_RELS_ON_TARGETTED_LINKS from being added to links. 您可以使用新的HtmlPolicyBuilder()。skipRelsOnLinks(“ noopener”,“ noreferrer”),它会拒绝将某些DEFAULT_RELS_ON_TARGETTED_LINKS添加到链接中。

Note: DEFAULT_RELS_ON_TARGETTED_LINKS = ImmutableSet.of("noopener", "noreferrer"); 注意:DEFAULT_RELS_ON_TARGETTED_LINKS = ImmutableSet.of(“ noopener”,“ noreferrer”);

More details are here: https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/HtmlPolicyBuilder.java 更多详细信息在这里: https : //github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/HtmlPolicyBuilder.java

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 带有 owasp-java-html-sanitizer 的嵌入式 CSS - Embedded CSS with owasp-java-html-sanitizer OWASP java-html-sanitizer-未封闭标签的策略 - OWASP java-html-sanitizer - policy for unclosed tags 如何报告是否使用OWASP Java HTML Sanitizer清理了输入 - How to report if input is sanitized with OWASP Java HTML Sanitizer 使用owasp-java-html-sanitizer进行链接提取 - Link extraction using owasp-java-html-sanitizer 如何在jsp页面上使用owasp-java-html-sanitizer的策略 - how to use policy of owasp-java-html-sanitizer on a jsp page OWASP HTML Sanitizer清除评论 - OWASP HTML Sanitizer cleans comments XSS-OWASP HTML Sanitizer过滤器<form> - XSS - OWASP HTML Sanitizer Filters <form> 如何使用OWASP HTML Sanitizer允许特定字符? - How to allow specific characters with OWASP HTML Sanitizer? 使用OWASP Java HTML Sanitizer消毒html时如何允许嵌入的图像 - How to allow embedded images when sanitizing html with OWASP Java HTML Sanitizer OWASP html清洁剂 - 为什么它会覆盖一些实体? - OWASP html sanitizer - Why does it unescape some entities?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM