[英]Is guarding <, >, and & enough to sanitize HTML in Swing components?
I have an arbitrary string.我有一个任意字符串。 I want to put
MyString
in a HTML document like我想将
MyString
放在 HTML 文档中,例如
<html><body>Text bla <b>MyString</b> bla bla</body></html>
I do not want to allow MyString to do any HTML formatting with tags, but I also don't want to escape EVERY character using &charcode;
我不想让 MyString 使用标签做任何 HTML 格式,但我也不想使用
&charcode;
转义每个字符。 (which is my fallback plan). (这是我的后备计划)。
Is it enough to replace <
, >
and &
with <
用
<
替换<
, >
和&
是否足够? , >
,
>
and &
和
&
(and newline with <br>
)? (和换行符
<br>
)? If not, what else?如果没有,还有什么?
Some more context: This is for putting user-provided strings in a formatted way in a JLabel, which also contains other text (so just styling the label is not enough).更多上下文:这是为了将用户提供的字符串以格式化方式放入 JLabel 中,该 JLabel 还包含其他文本(因此仅设置 label 的样式是不够的)。
As @user2864740 wrote in the comments:正如@user2864740 在评论中所写:
See Rule #1 from the OWASP cheat-sheet link, which lists 6 characters to escape: &, <, >, ", ', /. Whether or not such are required (in all contexts).
请参阅OWASP 备忘单链接中的规则 #1,其中列出了要转义的 6 个字符:&、<、>、"、'、/。无论是否需要(在所有情况下)。
Escaping these characters seemed to have been enough in my case. Escaping 这些字符在我的情况下似乎已经足够了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.