使用Java清理CSS [英] Sanitize CSS Using Java

问题描述

在Java中有一个好的库来清理CSS样式表吗？我们希望允许管理员用户上传CSS样式表，以控制他们管理的网站部分的外观。当然，我们不想allox XSS攻击，如background：url（javascript :)所以我们正在寻找一个良好的清理解决方案。

Is there a good library in Java for sanitizing CSS stylesheets? We would like to allow admin users to upload CSS stylesheets to control the look of portion of the site that they administrate. Naturally we do not want to allox XSS attacks such as background:url(javascript:) so we are looking for a good sanitization solution.

我发现的唯一的东西我喜欢使用 Google Caja CssTree剖析器从CSS中排除危险标记。我可能最终会使用类似这样的东西，但如果有人知道一个库，我不必为这么多的依赖关系，并提取，这将是有帮助的。

The only thing I have found so far that I have liked uses the Google Caja CssTree parser to exclude dangerous tags from CSS. I may end up using something like this, but if someone knows of a library that I do not have to bring down so many dependencies for, and extract, that would be helpful.

解决方案：使用AntiSamy库如Vineet Reynolds建议

Solution: Used AntiSamy library like Vineet Reynolds suggested

        Policy policy = Policy.getInstance("antisamy.xml");
        ResourceBundle messages = ResourceBundle.getBundle("AntiSamy", Locale.getDefault());

        CssScanner scanner = new CssScanner(policy, messages);
        CleanResults results = scanner.scanStyleSheet(stylesheet, Integer.MAX_VALUE);

推荐答案

OWASP AntiSamy 可以执行CSS样式表验证;我没有尝试过这个功能。此外，我不确定它是否适合您的项目与太多的依赖项。它在内部依靠Apache Batik来执行样式表的解析。

OWASP AntiSamy can perform CSS stylesheet validation; I haven't tried that feature in particular though. Also, I'm not sure if it fits your bill of being a project with too many dependencies. It relies on Apache Batik internally to perform the parsing of the stylesheet.

如果我有安全意识，我不会对下游依赖打扰;我会为任务选择适当的工具。

If I were security conscious, I wouldn't be bothered with downstream dependencies; I would choose the appropriate tool for the task.

这篇关于使用Java清理CSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！