保护 <、> 和 & 足以清理 Swing 组件中的 HTML 吗?
[英]Is guarding <, >, and & enough to sanitize HTML in Swing components?
问题描述
I have an arbitrary string.
我有一个任意字符串。 I want to put MyString in a HTML document like我想将MyString放在 HTML 文档中,例如
<html><body>Text bla <b>MyString</b> bla bla</body></html>
I do not want to allow MyString to do any HTML formatting with tags, but I also don't want to escape EVERY character using &charcode;我不想让 MyString 使用标签做任何 HTML 格式,但我也不想使用&charcode;转义每个字符。 (which is my fallback plan). (这是我的后备计划)。
Is it enough to replace < , > and & with <用<替换< , >和&是否足够? , > , > and &和& (and newline with <br> )? (和换行符<br> )? If not, what else?如果没有,还有什么?
Some more context: This is for putting user-provided strings in a formatted way in a JLabel, which also contains other text (so just styling the label is not enough).更多上下文:这是为了将用户提供的字符串以格式化方式放入 JLabel 中,该 JLabel 还包含其他文本(因此仅设置 label 的样式是不够的)。
1 个解决方案
解决方案1
0 已采纳 2020-11-17 02:25:15
As @user2864740 wrote in the comments:正如@user2864740 在评论中所写:
See Rule #1 from the OWASP cheat-sheet link, which lists 6 characters to escape: &, <, >, ", ', /. Whether or not such are required (in all contexts).
Escaping these characters seemed to have been enough in my case. Escaping 这些字符在我的情况下似乎已经足够了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.