要使用哪个 html 清理库? [英] Which html sanitization library to use?

问题描述

我正在开发一个功能，用户可以在其中输入有效的 html 标记和 css 并呈现用户网页.问题是我正在使用 OWASP AntiSamy Java 库，它剥离了大部分现代 HTML5 标签和 CSS3 属性.我查看了策略文件，它已经过时了.我一直在查看其他消毒库，如 HTML Sanitizer 和 Google Caja，但我觉得它没有做任何额外的事情.当您发现剥离有效标签和样式的问题时，您仍然需要更新您的策略文件.

I am working on a features where users can enter valid html markup and css and I render users web page. The problem is I am using OWASP AntiSamy Java libraries and its stripping out most of the modern HTML5 tags and CSS3 attributes. I looked at the policy file and it was quite outdated. I have been looking at other Sanitization Libraries like HTML Sanitizer and Google Caja, but I don't feel its doing anything extra. You still have to update your policy files as you find issues of stripping valid tags and styles.

我一直在寻找合适的解决方案.关于使用哪个库的任何建议?切换到 HTML Sanitizer 或 Google Caja 有什么好处.不确定是否有人更新了 Antisamy 策略文件并将其开源以支持新的标签和样式属性.

I have been searching for a proper solution. Any recommendations on which library to use? Is there any advantage switching to HTML Sanitizer or Google Caja. Not sure if anyone has updated Antisamy policy files and open sourced it so that it supports new tags and style attributes.

瓦伦

推荐答案

我对 jsoup

您只需要一小段代码:

String safe = Jsoup.clean(unsafe, Whitelist.basic());

您可以相当轻松地向 Whitelist 对象添加标签和属性，但我发现它不支持命名空间标签.

You can add tags and attributes to the Whitelist object fairly easily, though I found it doesn't support namespaced tags.

jsoup jar 本身很小(200+KB)，不像 owasp javahtml sanitizer，它不依赖于 1.6MB 的 Guava 库.

The jsoup jar itself is small (200+KB) and unlike owasp java html sanitizer, it doesn't depend on the Guava library which is 1.6MB.

这篇关于要使用哪个 html 清理库?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！