HTML过滤器改为将html转义

This commit is contained in:
RuoYi 2020-07-28 17:28:09 +08:00
parent fe030cc022
commit 22225a5119
2 changed files with 7 additions and 3 deletions

View File

@ -144,7 +144,10 @@ public class EscapeUtil
public static void main(String[] args)
{
String html = "alert('11111');";
String html = "<script>alert(1);</script>";
// String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>";
// String html = "<123";
// String html = "123>";
System.out.println(EscapeUtil.clean(html));
System.out.println(EscapeUtil.escape(html));
System.out.println(EscapeUtil.unescape(html));

View File

@ -131,7 +131,7 @@ public final class HTMLFilter
vAllowedEntities = new String[] { "amp", "gt", "lt", "quot" };
stripComment = true;
encodeQuotes = true;
alwaysMakeTags = true;
alwaysMakeTags = false;
}
/**
@ -208,7 +208,7 @@ public final class HTMLFilter
s = processRemoveBlanks(s);
s = validateEntities(s);
// s = validateEntities(s);
return s;
}
@ -245,6 +245,7 @@ public final class HTMLFilter
// try and form html
//
s = regexReplace(P_END_ARROW, "", s);
// 不追加结束标签
s = regexReplace(P_BODY_TO_END, "<$1>", s);
s = regexReplace(P_XML_CONTENT, "$1<$2", s);