用于 JSF 的服务器端 HTML 消毒剂/清理 [英] Server side HTML sanitizer/cleanup for JSF
问题描述
在任何 JSF 实用工具包或 PrimeFaces/OmniFaces 等库中是否有任何可用的 HTML 清理器或清理方法?
Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces?
我需要通过 p:editor 清理用户输入的 HTML 并使用 escape="true" 显示安全的 HTML 输出,遵循 stackexchange 风格.在显示 HTML 之前,我想将经过消毒的输入数据存储到数据库中,以便它可以与 escape="true" 一起安全使用,并且 XSS 不会有危险.
I need to sanitize HTML input by user via p:editor and display safe HTML output using escape="true", following the stackexchange style. Before displaying the HTML I'm thinking to store sanitized input data to the database, so that it is ready to safe use with escape="true" and XSS is not a danger.
推荐答案
为了实现这一点,您基本上需要一个独立的 HTML 解析器.HTML 解析相当复杂,其任务和职责超出了 JSF、PrimeFaces 和 OmniFaces 的范围.您应该只获取众多现有 HTML 解析库中的一个.
In order to achieve that, you basically need a standalone HTML parser. HTML parsing is rather complex and the task and responsibility of that is beyond the scope of JSF, PrimeFaces and OmniFaces. You're supposed to just grab one of the many existing HTML parsing libraries.
一个例子是 Jsoup,它甚至有一个单独的方法用于针对 安全列表:Jsoup#clean().例如,如果您想允许一些没有图像的基本 HTML,请使用 Safelist.basic():
An example is Jsoup, it has even a separate method for the particular purpose of sanitizing HTML against a Safelist: Jsoup#clean(). For example, if you want to allow some basic HTML without images, use Safelist.basic():
String sanitizedHtml = Jsoup.clean(rawHtml, Safelist.basic());
一种完全不同的替代方法是使用特定的文本格式语法,例如 Markdown (此处也使用).基本上所有这些解析器也会在幕后清理 HTML.一个例子是 CommonMark.也许这就是您说stackexchange 风格"时的实际意思.
A completely different alternative is to use a specific text formatting syntax, such as Markdown (which is also used here). Basically all of those parsers also sanitize HTML under the covers. An example is CommonMark. Perhaps this is what you actually meant when you said "stackexchange style".
至于保存在数据库中,您最好将原始表单和解析表单保存在 2 个单独的文本列中.在编辑期间应重新显示原始表单.当原始表单被编辑后,解析的表单应该在后台更新.在显示过程中,显然只显示带有escape="false"的解析形式.
As to saving in DB, you'd better save both the raw and parsed forms in 2 separate text columns. The raw form should be redisplayed during editing. The parsed form should be updated in background when the raw form has been edited. During display, obviously only show the parsed form with escape="false".
这篇关于用于 JSF 的服务器端 HTML 消毒剂/清理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
