从HTML中过滤JavaScript [英] Filtering JavaScript out of HTML
问题描述
我有一个将HTML传递到服务器的富文本编辑器。该HTML然后显示给其他用户。我想确保该HTML中没有JavaScript。有没有办法做到这一点?
I have a rich text editor that passes HTML to the server. That HTML is then displayed to other users. I want to make sure there is no JavaScript in that HTML. Is there any way to do this?
另外,如果有帮助的话,我使用的是ASP.NET。
Also, I'm using ASP.NET if that helps.
推荐答案
最简单的做法是用正则表达式去掉标签。麻烦的是,如果没有脚本标记,你可以做很多令人讨厌的事情(例如,嵌入狡猾的图像,有链接到其他网站有讨厌的Javascript)。通过将小于/大于号字符转换为其HTML实体形式(例如<)来完全禁用HTML也可以作为选项。
The simplest thing to do would be to either strip out tags with a regex. Trouble is that you could do plenty of nasty things without script tags (e.g. imbed dodgy images, have links to other sites that have nasty Javascript) . Disabling HTML completely by convert the less than/greater than characters into their HTML entities forms (e.g. <) could also be an option.
如果您想要一个更强大的解决方案,在过去我已经使用 AntiSamy 来清理传入的文本,以便它是安全的观看。
If you want a more powerful solution, in the past I have used AntiSamy to sanitize incoming text so that it's safe for viewing.
这篇关于从HTML中过滤JavaScript的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!