Java – OWASP HTML sanitizer clear comments

2020-02-01 • Java

I have an application where customers can store the following HTML lines to load different styles for the actual browser:

<!--[if IE 6]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie6.css"><![endif]--> 
<!--[if IE 7]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie7.css"><![endif]--> 
<!--[if IE 8]><link rel="stylesheet" type="text/css" media="all" href="default/css/general_ie8.css"><![endif]-->

In addition, I have configured the OWASP policy to prohibit malicious HTML tags by:

new HtmlPolicyBuilder().allowElements("link").allowAttributes("rel","type","media","href").onElements("link").toFactory();

But after sanitation, if the browser line is discarded

Can you suggest how to configure policies to store such content?

Solution

OWASP sanitizer cannot be configured to accept these tags Instead, you can use an HTML parser like jsoup to extract these lines before sanitizing, and then add them

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.

THE END

Java

二维码

java – MessageConsumer / MessageProducer vs QueueSender / QueueReceiver

< <上一篇

Detailed explanation of Android multimedia class videoview

下一篇>>

搜索内容

Java – OWASP HTML sanitizer clear comments

Solution

热门文章