爪哇 - OWASP的Html消毒剂显示URL
问题描述:
双noopener noreferrer我在字符串的URL类似以下内容:爪哇 - OWASP的Html消毒剂显示URL
"<a style=\"color: #800000; background-color: #ffcc00;\" title=\"Test12\" href=\"http://www.google.com\" target=\"_blank\" rel=\"noopener noreferrer\">www.google.com</a>"
消毒后,我的字符串变成:
"<a style="color: #800000; background-color: #ffcc00;" title="Test12" href="http://www.google.com" target="_blank" rel="noopener noreferrer noopener noreferrer">www.google.com</a>"
请注意,在相对属性它具有双重noopener noreferrer noopener的noreferrer
String [] allowElements = {"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt",
"code", "big", "small", "br", "span", "em", "li", "ul", "ol", "a", "p", "target"};
String [] allowAttributes = {"style", "href", "target", "rel", "title", "_blank"};
PolicyFactory policy = new HtmlPolicyBuilder().allowUrlProtocols("http", "https")
.allowElements(allowElements)
.allowAttributes(allowAttributes)
.onElements(allowElements)
.toFactory();
final String sanitized = policy.sanitize(value);
System.err.println(sanitized);
这是为什么?
答
您可以使用新的HtmlPolicyBuilder()。skipRelsOnLinks(“noopener”,“noreferrer”),它可以从一些DEFAULT_RELS_ON_TARGETTED_LINKS中选择添加到链接中。
注意:DEFAULT_RELS_ON_TARGETTED_LINKS = ImmutableSet.of(“noopener”,“noreferrer”);