爪哇 - OWASP的Html消毒剂显示URL

问题描述:

双noopener noreferrer我在字符串的URL类似以下内容:爪哇 - OWASP的Html消毒剂显示URL

"<a style=\"color: #800000; background-color: #ffcc00;\" title=\"Test12\" href=\"http://www.google.com\" target=\"_blank\" rel=\"noopener noreferrer\">www.google.com</a>" 

消毒后,我的字符串变成:

"<a style="color: #800000; background-color: #ffcc00;" title="Test12" href="http://www.google.com" target="_blank" rel="noopener noreferrer noopener noreferrer">www.google.com</a>" 

请注意,在相对属性它具有双重noopener noreferrer noopener的noreferrer

String [] allowElements = {"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt", 
     "code", "big", "small", "br", "span", "em", "li", "ul", "ol", "a", "p", "target"}; 

String [] allowAttributes = {"style", "href", "target", "rel", "title", "_blank"}; 

PolicyFactory policy = new HtmlPolicyBuilder().allowUrlProtocols("http", "https") 
      .allowElements(allowElements) 
      .allowAttributes(allowAttributes) 
      .onElements(allowElements) 
      .toFactory(); 

    final String sanitized = policy.sanitize(value); 

    System.err.println(sanitized); 

这是为什么?

您可以使用新的HtmlPolicyBuilder()。skipRelsOnLinks(“noopener”,“noreferrer”),它可以从一些DEFAULT_RELS_ON_TARGETTED_LINKS中选择添加到链接中。

注意:DEFAULT_RELS_ON_TARGETTED_LINKS = ImmutableSet.of(“noopener”,“noreferrer”);

更多细节在这里: https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/HtmlPolicyBuilder.java