Question

我在String中有一个url，如下所示：

"<a style=\"color: #800000; background-color: #ffcc00;\" title=\"Test12\" href=\"http://www.google.com\" target=\"_blank\" rel=\"noopener noreferrer\">www.google.com</a>"

消毒后，我的字符串变为：

"<a style="color: #800000; background-color: #ffcc00;" title="Test12" href="http://www.google.com" target="_blank" rel="noopener noreferrer noopener noreferrer">www.google.com</a>"

请注意，在rel属性中，它有两倍 noopener noreferrer noopener noreferrer

String [] allowElements = {"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt",
        "code", "big", "small", "br", "span", "em", "li", "ul", "ol", "a", "p", "target"};

String [] allowAttributes = {"style", "href", "target", "rel", "title", "_blank"};

 PolicyFactory policy = new HtmlPolicyBuilder().allowUrlProtocols("http", "https")
            .allowElements(allowElements)
            .allowAttributes(allowAttributes)
            .onElements(allowElements)
            .toFactory();

    final String sanitized = policy.sanitize(value);

    System.err.println(sanitized);

为什么？

Answer 1

您可以使用新的HtmlPolicyBuilder（）。skipRelsOnLinks（＆＃34; noopener＆＃34;，＆＃34; noreferrer＆＃34;），它们会选择退出某些DEFAULT_RELS_ON_TARGETTED_LINKS添加到链接中。

注意：DEFAULT_RELS_ON_TARGETTED_LINKS = ImmutableSet.of（＆＃34; noopener＆＃34;，＆＃34; noreferrer＆＃34;）;

更多细节在这里： https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/HtmlPolicyBuilder.java

Java - Owasp Html Sanitizer为url显示双重noopener noreferrer

1 个答案: