问题描述:

I am doing a Java-based web application. It allows users to enter content, which is displayed to other users.

Naturally for security reasons, I have to filter user content to prevent XSS and other attacks.

I understand that filtering user content is a much-discussed topic. I found many posts at SO, but they are related to theory discussion, PHP, ideas, etc. I need a Java library to use to avoid re-writing/inventing everything. I feel there must be one out there.

Is there such a library I can use?

Thanks for any info!

网友答案:

If you want to sanitise user input to prevent XSS then OWASP provide the standard implementation for doing that in their AntiSamy project.

There is a better implementation of this on google code called owasp-java-html-sanitizer, this allows you to define policies programmatically and then run the suspect HTML through the policy which will strip out all nonsense.

Here is an example from their website:

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String safeHTML = policy.sanitize(untrustedHTML);

This creates a policy that only allows formatting and links in the suspect HTML, everything else is removed.

相关阅读:
Top