具有html样式的JSF OutputText [英] JSF OutputText with html style
问题描述
我需要一个输出文本,该文本的工作方式类似于带有escape ="false"属性的h:outputText,但不允许脚本运行.稍作搜索后,我发现tr:outputFormatted可以做到这一点,但是在我们的项目中,我们不使用特立尼达.在战斧或另一个taglib中是否有类似outputFormatted的东西?
例如,
<h:outputText id="id" value="<b>test text</b><script type="text/javascipt">alert('I dont want these alert to show');</script>" escape="false"/>
以粗体显示测试文本",但它也会弹出警报对话框,我不希望脚本运行.它可以编写脚本代码或将其删除,但不应运行.
使用HTML解析器清除这些恶意内容.
除其他外, Jsoup 能够做到这一点.这是来自其网站的相关摘录.
清除不受信任的HTML
问题
您想允许不受信任的用户提供HTML以在您的网站上输出(例如,作为评论提交).您需要清除此HTML,以避免跨站点脚本(XSS)攻击.
解决方案
使用jsoup HTML
Cleaner指定的配置Whitelist.String unsafe = "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>"; String safe = Jsoup.clean(unsafe, Whitelist.basic()); // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>
因此,在编写文本时,您要做的基本上是以下操作:
String sanitizedText = Jsoup.clean(rawText, Whitelist.basic());
(您可以在将文本保存到数据库之前或之后执行此操作,但是请记住,如果在不保存原始文本之前执行此操作,则无法再检测到恶意用户并进行社交操作)
,然后显示如下:
<h:outputText value="#{bean.sanitizedText}" escape="false" />
I need a output text which works like h:outputText with escape="false" attribute, but doesn't let scripts to run. After a little search I found tr:outputFormatted makes that, but in our project we doesn't use trinidad. Is there something like outputFormatted in tomahawk, or in another taglib?
for example,
<h:outputText id="id" value="<b>test text</b><script type="text/javascipt">alert('I dont want these alert to show');</script>" escape="false"/>
that shows 'test text' bold but it popups the alert dialog too, I don't want the script to run. it can write script code or delete it but shouldn't run.
Use a HTML parser to get rid of those malicious things.
Among others, Jsoup is capable of this. Here's an extract of relevance from its site.
Sanitize untrusted HTML
Problem
You want to allow untrusted users to supply HTML for output on your website (e.g. as comment submission). You need to clean this HTML to avoid cross-site scripting (XSS) attacks.
Solution
Use the jsoup HTML
Cleanerwith a configuration specified by aWhitelist.String unsafe = "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>"; String safe = Jsoup.clean(unsafe, Whitelist.basic()); // now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>
So, all you basically need to do is the the following during preparing the text:
String sanitizedText = Jsoup.clean(rawText, Whitelist.basic());
(you can do it before or after saving the text in DB, but keep in mind that when doing it before without saving the original text, you can't detect malicious users and do social actions anymore)
and then display it as follows:
<h:outputText value="#{bean.sanitizedText}" escape="false" />
这篇关于具有html样式的JSF OutputText的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
