JSF的服务器端HTML清理程序/清理 [英] Server side HTML sanitizer/cleanup for JSF
问题描述
JSF实用工具包或PrimeFaces/OmniFaces之类的库中是否有HTML清理程序或清除方法?
Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces?
我需要通过p:editor清理用户输入的HTML,并按照stackexchange样式使用escape="true"显示安全的HTML输出.在显示HTML之前,我正在考虑将经过清理的输入数据存储到数据库中,以便可以与escape="true"和XSS安全地使用它.
I need to sanitize HTML input by user via p:editor and display safe HTML output using escape="true", following the stackexchange style. Before displaying the HTML I'm thinking to store sanitized input data to the database, so that it is ready to safe use with escape="true" and XSS is not a danger.
推荐答案
In order to achieve that, you basically need a standalone HTML parser. HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF, PrimeFaces and OmniFaces. You're supposed to just grab one of the many existing HTML parsing libraries.
一个例子是 Jsoup ,它甚至还有一个单独的方法,用于针对 Whitelist :
An example is Jsoup, it has even a separate method for the particular purpose of sanitizing HTML against a Whitelist: Jsoup#clean(). For example, if you want to allow some basic HTML without images, use Whitelist.basic():
String sanitizedHtml = Jsoup.clean(rawHtml, Whitelist.basic());
一种完全不同的替代方法是使用特定的文本格式语法,例如 Markdown (在此也使用).基本上所有这些解析器都在后台对HTML进行了清理.例如 Pegdown .也许这就是您说"stackexchange样式"时的实际意思.
A completely different alternative is to use a specific text formatting syntax, such as Markdown (which is also used here). Basically all of those parsers also sanitize HTML under the covers. An example is Pegdown. Perhaps this is what you actually meant when you said "stackexchange style".
关于保存在数据库中,最好将原始和已解析的表单分别保存在两个单独的文本列中.原始表格应在编辑过程中重新显示.编辑原始表单后,应在后台更新已解析的表单.在显示期间,显然只显示具有escape="false"的已解析形式.
As to saving in DB, you'd better save both the raw and parsed forms in 2 separate text columns. The raw form should be redisplayed during editing. The parsed form should be updated in background when the raw form has been edited. During display, obviously only show the parsed form with escape="false".
这篇关于JSF的服务器端HTML清理程序/清理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
