如何在使用OWASP Java HTML Sanitizer清理html时允许嵌入的图像 [英] How to allow embedded images when sanitizing html with OWASP Java HTML Sanitizer

问题描述

我想允许：

<img src="data:image/jpg;base64,..."/>

我看到有关于如何执行此操作的文档但我不明白如何实现它。我试图添加模式

I see there's documentation on how to do this but I don't understand how to implement it. I tried to add the pattern

.allowUrlProtocols("data")
.allowAttributes("src").matching(Pattern.compile("$data:image.*")).onElements("img")

但那没用。我理解模式必须是正则表达式，但我不确定我是否理解它是如何连接起来的。我知道它正在尝试寻找img标签，然后查看src属性。我的理解是，它应该寻找字符串数据：图像和if发现允许它通过。但那并没有发生...

But that didn't work. I understand the pattern must be a regex expression but I'm not sure I understand how it all links up. I get that it's trying to look for img tags and then looks at the src attribute. My understanding is that it should then look for the string data:image and if finds that allows it through. But that's not happening...

推荐答案

问题在于我：

private static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
    .allowUrlProtocols("data")
    .allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL).onElements("img")
    .allowAttributes("src").matching(Pattern.compile("^.*data:image/.*$")).onElements("img")
    .toFactory();

这引起了一个问题，我假设 allowAttribute 将两者结合起来。相反，你需要做的是OR模式匹配（对于你想要匹配的任何模式），如：

This caused an issue in that I assumed allowAttribute would combine both. Instead what you have to do is OR the pattern matching (for whatever pattern you want to match) as in:

Pattern EMBEDDED_IMAGE = Pattern.compile("^.*data:image/.*$")
ONSITE_OR_OFFSITE_URL_OR_EMBEDDED_IMAGE = matchesEither(ONSITE_URL, OFFSITE_URL, EMBEDDED_IMAGE);

private static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
    .allowUrlProtocols("data")
    .allowAttributes("src").matching(ONSITE_OR_OFFSITE_URL_OR_EMBEDDED_IMAGE).onElements("img")
    .toFactory();

此代码假设您正在使用 EbayPolicyExample

This code assumes you're using the EbayPolicyExample

这篇关于如何在使用OWASP Java HTML Sanitizer清理html时允许嵌入的图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！