在h:inputTextarea中阻止HTML标记
[英]Block Html Tag in h:inputTextarea
问题描述
I need to block Html Tags of ah:inputTextarea. 
我需要阻止ah:inputTextarea的HTML标签。 The content of this textarea will be shown in an outputText with escape setted to false. 此textarea的内容将显示在outputText中,转义设置为false。 It's setted to false cause i'm allowing to show links <a href...>. 设置为false是因为我允许显示链接<a href...>.
When I click on save, it verifies the written words to check if is there a link, and if it is, we save on database with <a href...> 当我单击保存时,它会验证文字以检查是否存在链接,如果存在,我们将使用<a href...>将其保存在数据库中
If this that i'm doing above is the wrong way to do it, let me know, but don't forget to try to help me out blocking html tags. 如果我在上面所做的操作是错误的方法,请告诉我,但不要忘记尝试帮助我阻止html标签。 If I'm wrong on how to do it, i'll do it later, but I need to fix this like i said it now :( 如果我做错了,那我以后再说,但是我需要像现在说的那样解决这个问题:(
ty ty
1 个解决方案
解决方案1
0 2011-06-16 13:45:52
You should use some other markup language like markdown instead of HTML to prevent XSS. 您应该使用其他标记语言,例如markdown而不是HTML,以防止XSS。 If you allow the a-Tag, user could still write stuff like: 如果您允许使用a-Tag,用户仍然可以编写如下内容:
<a href="javascript:doSomethingEvil()">foo</a>
And if you go on and try to find and filter stuff like that too, take a look at these nice examples: http://ha.ckers.org/xss.html 如果您继续尝试查找和过滤类似的内容,请查看以下示例: http : //ha.ckers.org/xss.html
EDIT: If is really the only tag, you want to allow and you just want to have clickable links, why don't you try to recognize URLs in text instead of forcing the user to write HTML? 编辑:如果确实是唯一的标签,您要允许并且只想拥有可单击的链接,为什么不尝试识别文本中的URL而不是强迫用户编写HTML? Check out this SO question . 看看这个SO问题 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.