Java – why does jsoup delete inline style sheets?

Java

I use jsoup to protect my application from XSS attacks I get all the input parameters and do jsup clean. But I have a problem

It deletes all inline style sheets! Why? I have a part of my application where users can write text and publish it as an announcement He / she writes his / her text through TinyMCE and adds some HTML and style sheets to the user text Below you can see the sample text created by TinyMCE:

User input: align text in the center TinyMCE result: < P style = "text align: Center;" > Center aligned text < / P > jsup Clean (text, whitelist. Relaxed()) output: < p > center aligned text < / P >

You can see that jsup deleted the label style How can I say it doesn't delete simple CSS? thank you.

Solution

By default, the whitelist class deletes styles, but you can easily modify this behavior and add style support using addattributes ("P", "style")

Whitelist.relaxed().addAttributes("p","style");

explain

This sets the attribute style of element P to ignore during cleanup Only the style of P will be deleted!

Verification Code

Just copy and paste this code and call it from main

public static void main(String[] args) {
    String text = "<p style=\"text-align: center;\">Center Aligned Text</p>";
    String clean = Jsoup.clean(text,Whitelist.relaxed()
            .addAttributes("p","style"));
    System.out.println(clean);
}

result

<p style="text-align: center;">Center Aligned Text</p>

rely on

org.jsoup:jsoup:1.7.3
The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>