清理用户提交的HTML,但保留安全的嵌入式iframe [英] Sanitize user submitted HTML but keep safe embedded iframes
问题描述
我需要清理用户对恶意html&输入的输入。由 CKEditor
提交。我目前使用 owasp -java-html-sanitizer
。为此目的,但它也会删除嵌入的iframe。但我有真正的用例,例如在帖子中嵌入YouTube视频或幻灯片共享演示文稿。
I need to sanitize user inputs of malicious html & submitted by CKEditor
. I currently use owasp-java-html-sanitizer
. for this purpose but it removes embedded iframes as well. But I have genuine use cases like embedding a YouTube video or slide share presentation within posts.
我如何安全地允许这样的嵌入式iframe?我使用Java。
How could I allow such embedded iframes safely? I use Java.
推荐答案
您需要将iframe元素和source属性设置为您的Html策略。
您可以按照以下示例进行操作: java doc
You will need to allow the iframe element and source attribute to your Html policy. You can do it like the following example modified from the java doc
// Define the policy.
Function<HtmlStreamEventReceiver, HtmlSanitizer.Policy> policy
= new HtmlPolicyBuilder()
.allowElements("a", "p", "iframe")
.allowAttributes("href").onElements("a")
.allowAttributes("source").onElements("iframe")
.toFactory();
// Sanitize your output.
HtmlSanitizer.sanitize(myHtml, policy.apply(myHtmlStreamRenderer));
这篇关于清理用户提交的HTML,但保留安全的嵌入式iframe的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!