用Jsoup对用户输入内容的HTML安全过滤_html/css

Home

Web Front-end

HTML Tutorial

用Jsoup对用户输入内容的HTML安全过滤_html/css_WEB-ITnose

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 21, 2016 am 09:17 AM

在网站使用input或textarea提供给用户可输入内容的功能，比如发帖子，发文章，发评论等等。这时候需要后端程序对输入内容作安全过滤，比如<script>等可造成安全隐患的标签。</script>

java中有个开源包叫Jsoup，本身用来解析html，xml文档的，特点是可以使用类似jquery的选择权语法。

最近在解决内容安全过滤的时候，通过google发现Jsoup通过自定义Whitelist（安全标签白名单）提供了这样的功能，非常好用。

简单演示如下：

//HTML cleanString unsafe = "<table><tr><td>1</td></tr></table>" +		"<img src='' alt='' />" +		"<p><a href='http://example.com/' onclick='stealCookies()'>Link</a>" +		"<object></object>" +		"<script>alert(1);</script>" +		"</p>";String safe = Jsoup.clean(unsafe, Whitelist.relaxed());System.out.println("safe: " + safe);

官方API地址： http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html

发现来源：

http://www.oschina.net/question/12_10232 ，据此自己写了个自定义的帮助类：

package com.cssor.safety; import org.jsoup.Jsoup;import org.jsoup.helper.StringUtil;import org.jsoup.safety.Whitelist; public class ContentSafeFilter {	private final static Whitelist user_content_filter = Whitelist.relaxed();	static {		//增加可信标签到白名单		user_content_filter.addTags("embed","object","param","span","div");		//增加可信属性	user_content_filter.addAttributes(":all", "style", "class", "id", "name");		user_content_filter.addAttributes("object", "width", "height","classid","codebase");		user_content_filter.addAttributes("param", "name", "value");		user_content_filter.addAttributes("embed", "src","quality","width","height","allowFullScreen","allowScriptAccess","flashvars","name","type","pluginspage");	} 	/**	 * 对用户输入内容进行过滤	 * @param html	 * @return	 */	public static String filter(String html) {		if(StringUtil.isBlank(html)) return "";		return Jsoup.clean(html, user_content_filter);		//return filterScriptAndStyle(html);	} 	/**	 * 比较宽松的过滤，但是会过滤掉object，script， span,div等标签，适用于富文本编辑器内容或其他html内容	 * @param html	 * @return	 */	public static String relaxed(String html) {		return Jsoup.clean(html, Whitelist.relaxed());	} 	/**	 * 去掉所有标签，返回纯文字.适用于textarea，input	 * @param html	 * @return	 */	public static String pureText(String html) {		return Jsoup.clean(html, Whitelist.none());	} 	/**	 * @param args	 */	public static void main(String[] args) {		String unsafe = "<table><tr><td>1</td></tr></table>" +	"<img src='' alt='' />" +				"<p><a href='http://example.com/' onclick='stealCookies()'>Link</a>" +				"<object></object>" +				"<script>alert(1);</script>" +				"</p>";		String safe = ContentSafeFilter.filter(unsafe);		System.out.println("safe: " + safe);	} }

Jsoup不支持相对路径图片的过滤，比如会被去掉src属性，想了个简单的方法避免：

/** * 自定义对用户输入内容进行过滤的标签 * @param html * @return */public static String filter(String html) {    if(StringUtil.isBlank(html)) return "";    String baseUri = "http://baseuri";    return Jsoup.clean(html, baseUri, user_content_filter).replaceAll("src=\"http://baseuri", "src=\"");}

http://cssor.com/jsoup-whitelist-clean-html-for-user-content.html

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Difficulty in updating caching of official account web pages: How to avoid the old cache affecting the user experience after version update?Mar 04, 2025 pm 12:32 PM

The official account web page update cache, this thing is simple and simple, and it is complicated enough to drink a pot of it. You worked hard to update the official account article, but the user still opened the old version. Who can bear the taste? In this article, let’s take a look at the twists and turns behind this and how to solve this problem gracefully. After reading it, you can easily deal with various caching problems, allowing your users to always experience the freshest content. Let’s talk about the basics first. To put it bluntly, in order to improve access speed, the browser or server stores some static resources (such as pictures, CSS, JS) or page content. Next time you access it, you can directly retrieve it from the cache without having to download it again, and it is naturally fast. But this thing is also a double-edged sword. The new version is online,

How to efficiently add stroke effects to PNG images on web pages?Mar 04, 2025 pm 02:39 PM

This article demonstrates efficient PNG border addition to webpages using CSS. It argues that CSS offers superior performance compared to JavaScript or libraries, detailing how to adjust border width, style, and color for subtle or prominent effect

How do I use HTML5 form validation attributes to validate user input?Mar 17, 2025 pm 12:27 PM

The article discusses using HTML5 form validation attributes like required, pattern, min, max, and length limits to validate user input directly in the browser.

What is the purpose of the <datalist> element?Mar 21, 2025 pm 12:33 PM

The article discusses the HTML <datalist> element, which enhances forms by providing autocomplete suggestions, improving user experience and reducing errors.Character count: 159

What is the purpose of the <progress> element?Mar 21, 2025 pm 12:34 PM

The article discusses the HTML <progress> element, its purpose, styling, and differences from the <meter> element. The main focus is on using <progress> for task completion and <meter> for stati

What are the best practices for cross-browser compatibility in HTML5?Mar 17, 2025 pm 12:20 PM

Article discusses best practices for ensuring HTML5 cross-browser compatibility, focusing on feature detection, progressive enhancement, and testing methods.

What is the purpose of the <meter> element?Mar 21, 2025 pm 12:35 PM

The article discusses the HTML <meter> element, used for displaying scalar or fractional values within a range, and its common applications in web development. It differentiates <meter> from <progress> and ex

What is the purpose of the <iframe> tag? What are the security considerations when using it?Mar 20, 2025 pm 06:05 PM

The article discusses the <iframe> tag's purpose in embedding external content into webpages, its common uses, security risks, and alternatives like object tags and APIs.

See all articles