[英]How to allow embedded images when sanitizing html with OWASP Java HTML Sanitizer
I would like to allow: 我想允许:
<img src="data:image/jpg;base64,..."/>
I see there's documentation on how to do this but I don't understand how to implement it. 我看到有有关如何执行此操作的文档,但我不知道如何实现。 I tried to add the pattern
我试图添加模式
.allowUrlProtocols("data")
.allowAttributes("src").matching(Pattern.compile("$data:image.*")).onElements("img")
But that didn't work. 但这没有用。 I understand the pattern must be a regex expression but I'm not sure I understand how it all links up.
我知道该模式必须是一个正则表达式,但是我不确定我是如何将它们联系起来的。 I get that it's trying to look for img tags and then looks at the src attribute.
我知道它正在尝试查找img标签,然后查看src属性。 My understanding is that it should then look for the string data:image and if finds that allows it through.
我的理解是,它随后应查找字符串data:image,如果找到则允许它通过。 But that's not happening...
但这没有发生...
The issue is that I had: 问题是我有:
private static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
.allowUrlProtocols("data")
.allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL).onElements("img")
.allowAttributes("src").matching(Pattern.compile("^.*data:image/.*$")).onElements("img")
.toFactory();
This caused an issue in that I assumed allowAttribute
would combine both. 这引起了一个问题,因为我认为
allowAttribute
将两者结合起来。 Instead what you have to do is OR the pattern matching (for whatever pattern you want to match) as in: 相反,您需要执行的是OR模式匹配(对于要匹配的任何模式),如下所示:
Pattern EMBEDDED_IMAGE = Pattern.compile("^.*data:image/.*$")
ONSITE_OR_OFFSITE_URL_OR_EMBEDDED_IMAGE = matchesEither(ONSITE_URL, OFFSITE_URL, EMBEDDED_IMAGE);
private static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
.allowUrlProtocols("data")
.allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL_OR_EMBEDDED_IMAGE).onElements("img")
.toFactory();
This code assumes you're using the EbayPolicyExample 此代码假定您正在使用EbayPolicyExample
If you got here (like I did) but you are using the HTMLSanitizer for C#, then the answer is: 如果您像我一样来到这里,但您正在使用HTMLSanitizer for C#,那么答案是:
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedSchemes.Add("data");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.