如何只允许输入br html标签

时间:2017-11-13 13:08:22

标签: html jsp

您好(我不擅长英语,抱歉。)

我实施任何评论和回复系统使用HTML5 / CSS3,Javascript,JSP。

我实现了任何系统,如果有任何用户编写文本,它已在数据库中注册,但HTML标记的标志如('<&#;;'>&#;&# 39;)被替换'& lt;','& gt;'。

这是为了保护任何脚本攻击,SQL查询注入的安全性。

但我有一个问题。我想在董事会的查看页面中为新行仅获得br标签的许可。

我该如何实现?请。

这是到目前为止登记的第I页:

<%@ page contentType="text/html; charset=UTF-8" language="java" import="java.sql.*, java.net.InetAddress"%>
<!doctype html>
<html>
<head>
<%@ include file="../dbinfo.jsp" %>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<% request.setCharacterEncoding("UTF-8"); %>



<%
String nums = request.getParameter("num");
%>

<% 
    PreparedStatement pstmt = null;
    ResultSet rs = null;
    Calendar cal = Calendar.getInstance();
    String date = Integer.toString(cal.get(Calendar.YEAR)) + "-";
    date += Integer.toString(cal.get(Calendar.MONTH)+1) + "-";
    date += Integer.toString(cal.get(Calendar.DATE)) + " ";
    date += Integer.toString(cal.get(Calendar.HOUR_OF_DAY)) + ":";
    date += Integer.toString(cal.get(Calendar.MINUTE)) + ":";
    date += Integer.toString(cal.get(Calendar.SECOND));
    String reply_num = null;
    String result ="n";
    String SQL  = "select (reply_num+1) as reply_num from  board_reply order by reply_num desc";
    pstmt = con.prepareStatement(SQL);
    rs = pstmt.executeQuery();
    if(rs.next()){
        reply_num = rs.getString("reply_num");
    }else{
        reply_num = "1";
    }
        SQL = "insert into board_reply(reply_num, text, userid, board_num, date, ip) values(?, ?, ?, ?, ?, ?)";
        pstmt = con.prepareStatement(SQL);
        pstmt.setString(1, reply_num);
        String text = (String) request.getParameter("ttext");
        String ip = request.getRemoteAddr();
        text = text.replaceAll("\r\n", "<br>");
        text = text.replaceAll("<", "&lt;");
        text = text.replaceAll(">", "&gt;"); 
        pstmt.setString(2, text);
        pstmt.setString(3, (String) request.getParameter("userid"));
        pstmt.setString(4, nums);
        pstmt.setString(5, date);
        pstmt.setString(6, ip);
        pstmt.executeUpdate();

    pstmt.close();
    rs.close();

 %>


</html>

<script>
alert("your texts are registered successfully!");
location.href ="board_list.jsp"
</script>

1 个答案:

答案 0 :(得分:1)

一种非常简单的方法,只需更改replaceAll的订单即可 

text = text.replaceAll("<", "&lt;");
text = text.replaceAll(">", "&gt;");
text = text.replaceAll("\r\n", "<br>");

这应该适合您的要求

相关问题
最新问题