我正在嘗試使用Java lib Jsoup來清理包含可能的惡意內容(XSS)的文本字符串。我必須允許<鏈接,但我不希望爲XSS原因允許javascript鏈接。org.jsoup.Jsoup沒有處理javascript鏈接?
下面的測試用例會失敗,因爲javascript協議仍然是允許的。任何想法如何解決這個使用Jsoup內置函數?
@Test
public void test() {
Whitelist tWhitelist = Whitelist.none();
tWhitelist.addAttributes("a", "href");
tWhitelist.removeProtocols("a", "href", "javascript");
String tUnsafe = "<a href=\"javascript:alert(1)\">Link</a> is a link.";
assertEquals("Link is a link.", Jsoup.clean(tUnsafe, tWhitelist));
}
org.junit.ComparisonFailure: expected:<[Link] is a link.> but was:<[<a href="javascript:alert(1)">Link</a>] is a link.>