Java-Owasp Html Sanitizer顯示URL的雙重noopener noreferrer

Question

我在String中有一個網址，如下所示：

"<a style=\"color: #800000; background-color: #ffcc00;\" title=\"Test12\" href=\"http://www.google.com\" target=\"_blank\" rel=\"noopener noreferrer\">www.google.com</a>"

消毒后，我的String變成：

"<a style="color: #800000; background-color: #ffcc00;" title="Test12" href="http://www.google.com" target="_blank" rel="noopener noreferrer noopener noreferrer">www.google.com</a>"

請注意，在rel屬性中，它具有noopener noreferrer noopener noreferrer的兩倍

String [] allowElements = {"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt",
        "code", "big", "small", "br", "span", "em", "li", "ul", "ol", "a", "p", "target"};

String [] allowAttributes = {"style", "href", "target", "rel", "title", "_blank"};

 PolicyFactory policy = new HtmlPolicyBuilder().allowUrlProtocols("http", "https")
            .allowElements(allowElements)
            .allowAttributes(allowAttributes)
            .onElements(allowElements)
            .toFactory();

    final String sanitized = policy.sanitize(value);

    System.err.println(sanitized);

這是為什么？

Answer 1

您可以使用新的HtmlPolicyBuilder（）。skipRelsOnLinks（“ noopener”，“ noreferrer”），它會拒絕將某些DEFAULT_RELS_ON_TARGETTED_LINKS添加到鏈接中。

注意：DEFAULT_RELS_ON_TARGETTED_LINKS = ImmutableSet.of（“ noopener”，“ noreferrer”）;

更多詳細信息在這里： https : //github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/HtmlPolicyBuilder.java