Java - Owasp Html Sanitizer shows double noopener noreferrer for url
Question
I have a url in String like following:
"<a style=\"color: #800000; background-color: #ffcc00;\" title=\"Test12\" href=\"http://www.google.com\" target=\"_blank\" rel=\"noopener noreferrer\">www.google.com</a>"
After sanitized, my String become:
"<a style="color: #800000; background-color: #ffcc00;" title="Test12" href="http://www.google.com" target="_blank" rel="noopener noreferrer noopener noreferrer">www.google.com</a>"
Please note that in the rel attribute it has double of noopener noreferrer noopener noreferrer
String [] allowElements = {"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt",
"code", "big", "small", "br", "span", "em", "li", "ul", "ol", "a", "p", "target"};
String [] allowAttributes = {"style", "href", "target", "rel", "title", "_blank"};
PolicyFactory policy = new HtmlPolicyBuilder().allowUrlProtocols("http", "https")
.allowElements(allowElements)
.allowAttributes(allowAttributes)
.onElements(allowElements)
.toFactory();
final String sanitized = policy.sanitize(value);
System.err.println(sanitized);
Why is that?
1 answers
solution1
0 2017-03-14 18:51:37
You can use new HtmlPolicyBuilder().skipRelsOnLinks("noopener", "noreferrer"), which opts out of some of the DEFAULT_RELS_ON_TARGETTED_LINKS from being added to links.
Note: DEFAULT_RELS_ON_TARGETTED_LINKS = ImmutableSet.of("noopener", "noreferrer");
More details are here: https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/HtmlPolicyBuilder.java
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.