从HTML中过滤JavaScript [英] Filtering JavaScript out of HTML

问题描述

我有一个将HTML传递到服务器的富文本编辑器。该HTML然后显示给其他用户。我想确保该HTML中没有JavaScript。有没有办法做到这一点？

I have a rich text editor that passes HTML to the server. That HTML is then displayed to other users. I want to make sure there is no JavaScript in that HTML. Is there any way to do this?

另外，如果有帮助的话，我使用的是ASP.NET。

Also, I'm using ASP.NET if that helps.

推荐答案

最简单的做法是用正则表达式去掉标签。麻烦的是，如果没有脚本标记，你可以做很多令人讨厌的事情（例如，嵌入狡猾的图像，有链接到其他网站有讨厌的Javascript）。通过将小于/大于号字符转换为其HTML实体形式（例如<）来完全禁用HTML也可以作为选项。

The simplest thing to do would be to either strip out tags with a regex. Trouble is that you could do plenty of nasty things without script tags (e.g. imbed dodgy images, have links to other sites that have nasty Javascript) . Disabling HTML completely by convert the less than/greater than characters into their HTML entities forms (e.g. <) could also be an option.

如果您想要一个更强大的解决方案，在过去我已经使用 AntiSamy 来清理传入的文本，以便它是安全的观看。

If you want a more powerful solution, in the past I have used AntiSamy to sanitize incoming text so that it's safe for viewing.

这篇关于从HTML中过滤JavaScript的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！