用Jsoup对用户输入内容的HTML安全过滤_html/css_WEB-ITnose
在网站使用input或textarea提供给用户可输入内容的功能,比如发帖子,发文章,发评论等等。这时候需要后端程序对输入内容作安全过滤,比如<script>等可造成安全隐患的标签。</script>
java中有个开源包叫Jsoup,本身用来解析html,xml文档的,特点是可以使用类似jquery的选择权语法。
最近在解决内容安全过滤的时候,通过google发现Jsoup通过自定义Whitelist(安全标签白名单)提供了这样的功能,非常好用。
简单演示如下:
//HTML cleanString unsafe = "<table><tr><td>1</td></tr></table>" + "<img src='' alt='' />" + "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a>" + "<object></object>" + "<script>alert(1);</script>" + "</p>";String safe = Jsoup.clean(unsafe, Whitelist.relaxed());System.out.println("safe: " + safe);官方API地址: http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html
发现来源:
http://www.oschina.net/question/12_10232 , 据此自己写了个自定义的帮助类:
package com.cssor.safety; import org.jsoup.Jsoup;import org.jsoup.helper.StringUtil;import org.jsoup.safety.Whitelist; public class ContentSafeFilter { private final static Whitelist user_content_filter = Whitelist.relaxed(); static { //增加可信标签到白名单 user_content_filter.addTags("embed","object","param","span","div"); //增加可信属性 user_content_filter.addAttributes(":all", "style", "class", "id", "name"); user_content_filter.addAttributes("object", "width", "height","classid","codebase"); user_content_filter.addAttributes("param", "name", "value"); user_content_filter.addAttributes("embed", "src","quality","width","height","allowFullScreen","allowScriptAccess","flashvars","name","type","pluginspage"); } /** * 对用户输入内容进行过滤 * @param html * @return */ public static String filter(String html) { if(StringUtil.isBlank(html)) return ""; return Jsoup.clean(html, user_content_filter); //return filterScriptAndStyle(html); } /** * 比较宽松的过滤,但是会过滤掉object,script, span,div等标签,适用于富文本编辑器内容或其他html内容 * @param html * @return */ public static String relaxed(String html) { return Jsoup.clean(html, Whitelist.relaxed()); } /** * 去掉所有标签,返回纯文字.适用于textarea,input * @param html * @return */ public static String pureText(String html) { return Jsoup.clean(html, Whitelist.none()); } /** * @param args */ public static void main(String[] args) { String unsafe = "<table><tr><td>1</td></tr></table>" + "<img src='' alt='' />" + "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a>" + "<object></object>" + "<script>alert(1);</script>" + "</p>"; String safe = ContentSafeFilter.filter(unsafe); System.out.println("safe: " + safe); } }Jsoup不支持相对路径图片的过滤,比如
会被去掉src属性,想了个简单的方法避免:
/** * 自定义对用户输入内容进行过滤的标签 * @param html * @return */public static String filter(String html) { if(StringUtil.isBlank(html)) return ""; String baseUri = "http://baseuri"; return Jsoup.clean(html, baseUri, user_content_filter).replaceAll("src=\"http://baseuri", "src=\"");}http://cssor.com/jsoup-whitelist-clean-html-for-user-content.html
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Is HTML easy to learn for beginners?
Apr 07, 2025 am 12:11 AM
HTML is suitable for beginners because it is simple and easy to learn and can quickly see results. 1) The learning curve of HTML is smooth and easy to get started. 2) Just master the basic tags to start creating web pages. 3) High flexibility and can be used in combination with CSS and JavaScript. 4) Rich learning resources and modern tools support the learning process.
The Roles of HTML, CSS, and JavaScript: Core Responsibilities
Apr 08, 2025 pm 07:05 PM
HTML defines the web structure, CSS is responsible for style and layout, and JavaScript gives dynamic interaction. The three perform their duties in web development and jointly build a colorful website.
Understanding HTML, CSS, and JavaScript: A Beginner's Guide
Apr 12, 2025 am 12:02 AM
WebdevelopmentreliesonHTML,CSS,andJavaScript:1)HTMLstructurescontent,2)CSSstylesit,and3)JavaScriptaddsinteractivity,formingthebasisofmodernwebexperiences.
What is an example of a starting tag in HTML?
Apr 06, 2025 am 12:04 AM
AnexampleofastartingtaginHTMLis,whichbeginsaparagraph.StartingtagsareessentialinHTMLastheyinitiateelements,definetheirtypes,andarecrucialforstructuringwebpagesandconstructingtheDOM.
Gitee Pages static website deployment failed: How to troubleshoot and resolve single file 404 errors?
Apr 04, 2025 pm 11:54 PM
GiteePages static website deployment failed: 404 error troubleshooting and resolution when using Gitee...
How to implement adaptive layout of Y-axis position in web annotation?
Apr 04, 2025 pm 11:30 PM
The Y-axis position adaptive algorithm for web annotation function This article will explore how to implement annotation functions similar to Word documents, especially how to deal with the interval between annotations...
HTML, CSS, and JavaScript: Essential Tools for Web Developers
Apr 09, 2025 am 12:12 AM
HTML, CSS and JavaScript are the three pillars of web development. 1. HTML defines the web page structure and uses tags such as, etc. 2. CSS controls the web page style, using selectors and attributes such as color, font-size, etc. 3. JavaScript realizes dynamic effects and interaction, through event monitoring and DOM operations.
How to use CSS3 and JavaScript to achieve the effect of scattering and enlarging the surrounding pictures after clicking?
Apr 05, 2025 am 06:15 AM
To achieve the effect of scattering and enlarging the surrounding images after clicking on the image, many web designs need to achieve an interactive effect: click on a certain image to make the surrounding...
