HTML过滤器改为将html转义
This commit is contained in:
parent
fe030cc022
commit
22225a5119
|
@ -144,7 +144,10 @@ public class EscapeUtil
|
|||
|
||||
public static void main(String[] args)
|
||||
{
|
||||
String html = "alert('11111');";
|
||||
String html = "<script>alert(1);</script>";
|
||||
// String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>";
|
||||
// String html = "<123";
|
||||
// String html = "123>";
|
||||
System.out.println(EscapeUtil.clean(html));
|
||||
System.out.println(EscapeUtil.escape(html));
|
||||
System.out.println(EscapeUtil.unescape(html));
|
||||
|
|
|
@ -131,7 +131,7 @@ public final class HTMLFilter
|
|||
vAllowedEntities = new String[] { "amp", "gt", "lt", "quot" };
|
||||
stripComment = true;
|
||||
encodeQuotes = true;
|
||||
alwaysMakeTags = true;
|
||||
alwaysMakeTags = false;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -208,7 +208,7 @@ public final class HTMLFilter
|
|||
|
||||
s = processRemoveBlanks(s);
|
||||
|
||||
s = validateEntities(s);
|
||||
// s = validateEntities(s);
|
||||
|
||||
return s;
|
||||
}
|
||||
|
@ -245,6 +245,7 @@ public final class HTMLFilter
|
|||
// try and form html
|
||||
//
|
||||
s = regexReplace(P_END_ARROW, "", s);
|
||||
// 不追加结束标签
|
||||
s = regexReplace(P_BODY_TO_END, "<$1>", s);
|
||||
s = regexReplace(P_XML_CONTENT, "$1<$2", s);
|
||||
|
||||
|
|
Loading…
Reference in New Issue