HTML过滤器改为将html转义

This commit is contained in:
RuoYi 2020-07-28 17:28:09 +08:00
parent fe030cc022
commit 22225a5119
2 changed files with 7 additions and 3 deletions

View File

@ -144,7 +144,10 @@ public class EscapeUtil
public static void main(String[] args) public static void main(String[] args)
{ {
String html = "alert('11111');"; String html = "<script>alert(1);</script>";
// String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>";
// String html = "<123";
// String html = "123>";
System.out.println(EscapeUtil.clean(html)); System.out.println(EscapeUtil.clean(html));
System.out.println(EscapeUtil.escape(html)); System.out.println(EscapeUtil.escape(html));
System.out.println(EscapeUtil.unescape(html)); System.out.println(EscapeUtil.unescape(html));

View File

@ -131,7 +131,7 @@ public final class HTMLFilter
vAllowedEntities = new String[] { "amp", "gt", "lt", "quot" }; vAllowedEntities = new String[] { "amp", "gt", "lt", "quot" };
stripComment = true; stripComment = true;
encodeQuotes = true; encodeQuotes = true;
alwaysMakeTags = true; alwaysMakeTags = false;
} }
/** /**
@ -208,7 +208,7 @@ public final class HTMLFilter
s = processRemoveBlanks(s); s = processRemoveBlanks(s);
s = validateEntities(s); // s = validateEntities(s);
return s; return s;
} }
@ -245,6 +245,7 @@ public final class HTMLFilter
// try and form html // try and form html
// //
s = regexReplace(P_END_ARROW, "", s); s = regexReplace(P_END_ARROW, "", s);
// 不追加结束标签
s = regexReplace(P_BODY_TO_END, "<$1>", s); s = regexReplace(P_BODY_TO_END, "<$1>", s);
s = regexReplace(P_XML_CONTENT, "$1<$2", s); s = regexReplace(P_XML_CONTENT, "$1<$2", s);