如何不通过owasp antisamy将特殊字符转换为html实体 [英] How to not transform special characters to html entities with owasp antisamy

问题描述

我将Owasp Anti samy与Ebay策略文件一起使用，以防止对我的网站进行XSS攻击.

I use Owasp Anti samy with Ebay policy file to prevent XSS attacks on my website.

我还使用Hibernate搜索为我的对象建立索引.

I also use Hibernate search to index my objects.

当我使用此代码时:

String html = "special word: été";    

// use the Ebay configuration file    
Policy policy = Policy.getInstance(xssPolicyFile.getInputStream());

AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(html, policy);

// result is now : "special word: été"
result = cr.getCleanHTML();

如您所见，所有字符é"都已转换为等效于html实体"é"

As you can see all chars "é" has been transformed to their html entity equivalent "é"

我的页面位于UTF-8上，因此不需要这种转换.此外，当我使用Hibernate Search为该文本编制索引时，它会使用html实体为该词编制索引，因此我在索引上找不到词été".

My page is on UTF-8, so I don't need this transformation. Moreover, when I index this text with Hibernate Search, it indexes the word with html entities, so I can't find word "été" on my index.

如何强制antisamy不能将特殊字符转换为与它们对应的html实体?

How can I force antisamy to not transform special chars to their html entity equivalent ?

谢谢

PS:已打开一个问题: http://code .google.com/p/owaspantisamy/issues/detail?id = 99

PS: an issue has been opened : http://code.google.com/p/owaspantisamy/issues/detail?id=99

推荐答案

就像穆罕默德(Mohamad)在评论中说的那样，Antisamy刚刚发布了一个新的指令，名为:entityEncodeIntlChars

Like Mohamad said it in a comment, Antisamy has just released a new directive named : entityEncodeIntlChars

详细信息如下: http://code.google.com /p/owaspantisamy/source/detail?r = 240

似乎该指令可以解决问题.

It seems that this directive solves the problem.

这篇关于如何不通过owasp antisamy将特殊字符转换为html实体的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！