从HTML中删除将要显示的Javascript的最佳库/方法是什么?
What's the best library/approach for removing Javascript from HTML that will be displayed?
例如,取:
<html><body><span onmousemove='doBadXss()'>test</span></body></html>并离开:
<html><body><span>test</span></body></html>我看到 DeXSS 项目。但这是最好的方法吗?
I see the DeXSS project. But is that the best way to go?
推荐答案JSoup有一种基于白名单清理HTML的简单方法。 查看 jsoup/cookbook/cleaning-html/whitelist-消毒剂
JSoup has a simple method for sanitizing HTML based on a whitelist. Check jsoup/cookbook/cleaning-html/whitelist-sanitizer
它使用白名单,这比DeXSS使用的黑名单方法更安全。来自DeXSS页面:
It uses a whitelist, which is safer then the blacklist approach DeXSS uses. From the DeXSS page:
DeXSS尚未检测到许多已知的XSS攻击。
There are still a number of known XSS attacks that DeXSS does not yet detect.
黑名单只允许已知的不安全结构,而白名单只允许已知的安全结构。如此未知,可能不安全的结构只会受到白名单的保护。
A blacklist only disallows known unsafe constructions, while a whitelist only allows known safe constructions. So unknown, possibly unsafe constructions will only be protected against with a whitelist.
更多推荐
Java:从HTML中删除Javascript的最佳方法
发布评论