如何不通过owasp antisamy将特殊字符转换为html实体 [英] How to not transform special characters to html entities with owasp antisamy
问题描述
我将Owasp Anti samy与Ebay策略文件一起使用,以防止对我的网站进行XSS攻击.
I use Owasp Anti samy with Ebay policy file to prevent XSS attacks on my website.
我还使用Hibernate搜索为我的对象建立索引.
I also use Hibernate search to index my objects.
当我使用此代码时:
String html = "special word: été";
// use the Ebay configuration file
Policy policy = Policy.getInstance(xssPolicyFile.getInputStream());
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(html, policy);
// result is now : "special word: été"
result = cr.getCleanHTML();
如您所见,所有字符é"都已转换为等效于html实体"é
"
As you can see all chars "é" has been transformed to their html entity equivalent "é
"
我的页面位于UTF-8上,因此不需要这种转换.此外,当我使用Hibernate Search为该文本编制索引时,它会使用html实体为该词编制索引,因此我在索引上找不到词été".
My page is on UTF-8, so I don't need this transformation. Moreover, when I index this text with Hibernate Search, it indexes the word with html entities, so I can't find word "été" on my index.
如何强制antisamy不能将特殊字符转换为与它们对应的html实体?
How can I force antisamy to not transform special chars to their html entity equivalent ?
谢谢
PS:已打开一个问题: http://code .google.com/p/owaspantisamy/issues/detail?id = 99
PS: an issue has been opened : http://code.google.com/p/owaspantisamy/issues/detail?id=99
推荐答案
就像穆罕默德(Mohamad)在评论中说的那样,Antisamy刚刚发布了一个新的指令,名为:entityEncodeIntlChars
Like Mohamad said it in a comment, Antisamy has just released a new directive named : entityEncodeIntlChars
详细信息如下: http://code.google.com /p/owaspantisamy/source/detail?r = 240
似乎该指令可以解决问题.
It seems that this directive solves the problem.
这篇关于如何不通过owasp antisamy将特殊字符转换为html实体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!