简体繁体 English

OWASP java-html-sanitizer-未封闭标签的策略

[英]OWASP java-html-sanitizer - policy for unclosed tags

原文 2019-05-14 09:26:37 1 1 java/ owasp

I am using the same example of EbayPolicyExample.java from the OWASP java-html-sanitizer, however, I have been facing some issues when the user writes something like: let's consider that x <n then we have ... So what happens is that every text after <n is removed. 我正在使用来自OWASP java-html-sanitizer的EbayPolicyExample.java的同一示例，但是，当用户编写类似内容时，我遇到了一些问题： let's consider that x <n then we have ...那么发生了什么呢？ <n之后的所有文本都将被删除。

How could I fix this issue and remains the string <n ? 如何解决此问题并保留字符串<n ？

I tried to change the Policy a little bit, but I wasn't successful and it is possible to guess what letter the user will enter after < . 我尝试了一点更改策略，但未成功，可以猜测用户在<之后输入的字母。

Note: the tag n is just an example, it should also work for any letter (eg <o, <i, <y )? 注意：标签n只是一个例子，它也可以用于任何字母（例如<o, <i, <y ）吗？

input : let's consider that x <n then we have ... 输入： let's consider that x <n then we have ...
actual output : let's consider that x 实际输出 ： let's consider that x
expect output : let's consider that x <n then we have ... 期望输出 ： let's consider that x <n then we have ...

The link for the code: https://raw.githubusercontent.com/OWASP/java-html-sanitizer/master/src/main/java/org/owasp/html/examples/EbayPolicyExample.java 代码的链接： https : //raw.githubusercontent.com/OWASP/java-html-sanitizer/master/src/main/java/org/owasp/html/examples/EbayPolicyExample.java

1 个解决方案

You are supposed to provide valid HTML in your input. 您应该在输入中提供有效的HTML。 < is a special character in HTML. <是HTML中的特殊字符。 It denotes the start of a tag. 它表示标签的开始。

You have to replace < with the corresponding HTML entity: < 您必须将<替换为相应的HTML实体： < in your input. 在您的输入中。

I the input is entered by the user, you have to pre-process it and make sure it actually is valid HTML. 如果输入是用户输入的，则必须对其进行预处理，并确保它实际上是有效的HTML。 This post might be useful: Recommended method for escaping HTML in Java 这篇文章可能会有用：在Java中转义HTML的推荐方法