爪哇 - OWASP的Html消毒劑顯示URL

Question

雙noopener noreferrer我在字符串的URL類似以下內容：

"<a style=\"color: #800000; background-color: #ffcc00;\" title=\"Test12\" href=\"http://www.google.com\" target=\"_blank\" rel=\"noopener noreferrer\">www.google.com</a>" 

消毒後，我的字符串變成：

"<a style="color: #800000; background-color: #ffcc00;" title="Test12" href="http://www.google.com" target="_blank" rel="noopener noreferrer noopener noreferrer">www.google.com</a>" 

請注意，在相對屬性它具有雙重noopener noreferrer noopener的noreferrer

String [] allowElements = {"b", "i", "font", "s", "u", "o", "sup", "sub", "ins", "del", "strong", "strike", "tt", 
     "code", "big", "small", "br", "span", "em", "li", "ul", "ol", "a", "p", "target"}; 

String [] allowAttributes = {"style", "href", "target", "rel", "title", "_blank"}; 

PolicyFactory policy = new HtmlPolicyBuilder().allowUrlProtocols("http", "https") 
      .allowElements(allowElements) 
      .allowAttributes(allowAttributes) 
      .onElements(allowElements) 
      .toFactory(); 

    final String sanitized = policy.sanitize(value); 

    System.err.println(sanitized); 

這是爲什麼？

Answer 1

您可以使用新的HtmlPolicyBuilder（）。skipRelsOnLinks（「noopener」，「noreferrer」），它可以從一些DEFAULT_RELS_ON_TARGETTED_LINKS中選擇添加到鏈接中。

注意：DEFAULT_RELS_ON_TARGETTED_LINKS = ImmutableSet.of（「noopener」，「noreferrer」）;

更多細節在這裏： https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/HtmlPolicyBuilder.java