devbox
凡人多烦事01
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

富文本编辑器过滤XSS注入(JSOUP)_js富文本防止注入攻击

作者:凡人多烦事01 | 2024-03-30 02:18:27

js富文本防止注入攻击

众所周知,让用户在富文本编辑器中进行自己的输入绝对不是一个明智的选择,但是有的时候又没有办法,所以只有一条原则来保证系统的安全性,那就是我们让用户输入什么,用户才能输入什么,而不是用户想输入什么,他就能输入什么,这样才能让系统处于我们的掌控,不至于出现各种娄子,比如各种XSS注入什么的。

后来我们发现有一个比较好用的东西就是JSOUP,这是一个能够对输入的html进行过滤,简单来说就是可以增加白名单和黑名单(基于正则表达式),白名单就是只允许一个html标签上有固定的属性,比如我们只允许<div height="100" >,即div上只允许有height属性,其他的都是非法的我们认为,就可以用jsoup设置白名单进行过滤。我们也可以设置黑名单,即我们觉得<div>标签什么属性都可以有,但是style标签我们不能控制,认为他是个黑名单,我们也可以用jsoup进行实现。


下面贴出一个样例:

  1. import java.io.File;
  2. import java.io.FileInputStream;
  3. import java.io.IOException;
  4. import java.io.InputStream;
  5. import java.io.StringWriter;
  6. import java.io.Writer;
  7. import java.util.ArrayList;
  8. import java.util.HashMap;
  9. import java.util.List;
  10. import java.util.Map;
  11. import java.util.regex.Matcher;
  12. import java.util.regex.Pattern;
  13.  
  14. import net.sf.json.JSONObject;
  15. import net.sf.json.JsonConfig;
  16.  
  17. import org.apache.commons.io.IOUtils;
  18. import org.jsoup.Jsoup;
  19. import org.jsoup.nodes.Document;
  20. import org.jsoup.nodes.Document.OutputSettings;
  21. import org.jsoup.nodes.Element;
  22. import org.jsoup.safety.Whitelist;
  23. import org.jsoup.select.Elements;
  24. import org.springframework.core.io.ClassPathResource;
  25. import org.springframework.core.io.Resource;
  26. import org.springside.modules.mapper.JsonMapper;
  27.  
  28. public class HTMLStringFilter {
  29. 	private final static String regxpForHtml = "<([^>]*)>"; // 过滤所有以<开头以>结尾的标签
  30. 	private final static String PICTURE = "[图片]";
  31. 	//private final static String regxpForImgTag = "<\\s*img\\s+([^>]*)\\s*>"; // 找出IMG标签
  32.  
  33. 	//private final static String regxpForImaTagSrcAttrib = "src=\"([^\"]+)\""; // 找出IMG标签的SRC属性
  34.  
  35. 	public HTMLStringFilter() {
  36. 	}
  37. 	
  38. 	public static String HTMLEncode(String fString){
  39.         fString=fString.replaceAll(" <", "<");
  40.         fString=fString.replaceAll(">", ">");
  41.         fString=fString.replaceAll(new String(new char[]{32}), " ");
  42.         fString=fString.replaceAll(new String(new char[]{9}), " ");
  43.         fString=fString.replaceAll(new String(new char[]{34}), """);
  44.         fString=fString.replaceAll(new String(new char[]{39}), "'");
  45.         fString=fString.replaceAll(new String(new char[]{13}), "");
  46.         fString=fString.replaceAll(new String(new char[]{10,10}), " </p> <p>");
  47.         fString=fString.replaceAll(new String(new char[]{10}), " <br>");
  48.         return fString;
  49. 	}
  50. 	
  51. 	/**
  52. 	 * xss escape
  53. 	 */
  54. 	public static String xssEscape(String input) {
  55. 		return input == null ? null : input.replaceAll("<", "<")
  56. 				.replaceAll(">", ">")
  57. //				.replaceAll("eval\\((.*)\\)", "")
  58. //				.replaceAll("[\"'][\\s]*((?i)javascript):(.*)[\"']", "\"\"")
  59. //				.replaceAll("((?i)script)", "")
  60. 				;
  61. 	}
  62. 	
  63. 	/**
  64. 	 * 除指定标签之外的html标签编码
  65. 	 * @param str
  66. 	 * @param tag
  67. 	 * @return
  68. 	 */
  69. 	public static String xssEscapeExceptTag(String str,String tag) {
  70. 		String replaceTag="@"+tag+"@";
  71. 		str=str.replaceAll("<"+tag,replaceTag );
  72. 		str=xssEscape(str);
  73. 		str=str.replaceAll(replaceTag, "<"+tag);
  74. 		
  75. 		return str;
  76. 	}
  77. 	
  78. 	public static void main(String[] args){
  79. //		System.out.println(new java.util.Date().getTime());
  80. //		System.out.println(HTMLStringFilter.filterSafe("< script >ddd</div>"));
  81. //		System.out.println(HTMLStringFilter.filterSafe("< div >ddd</div>"));
  82. //		System.out.println("======"+HTMLStringFilter.filterSafe("< div oncliCk=''><img src='http://s.jsp'/>ddd</div>"));
  83. //		
  84. //		String imgHTML="<img src=\"http:\"/>";
  85. //		String tag="img";
  86. //		System.out.println("filter except:"+filterHtmlExceptTag(imgHTML, tag));
  87. //		
  88. //		System.out.println(new java.util.Date().getTime());
  89. //		
  90. //		String source="aaaaa<img alt=\"[可爱]\" src=\"http://img.t.sinajs.cn/t4/appstyle/expression/ext/normal/14/tza_thumb.gif\" height=\"22\" width=\"22\" />bbbb<img alt=\"[给力]\" src=\"http://img.t.sinajs.cn/t4/appstyle/expression/ext/normal/c9/geili_thumb.gif\" height=\"22\" width=\"22\" />ccc";
  91. //		String title=replaceTag(source, "img", "alt");
  92. //		System.out.println("title=="+title);
  93. //		
  94. //		String s="<img src=\"http://img7.9158.com/200708/10/09/18/200708103758836.jpg\"/>";
  95. //		List<String> srcs=match(source, "img", "src");
  96. //		if (CollectionUtils.isNotEmpty(srcs)) {
  97. //			for (String att : srcs) {
  98. //				System.out.println("attr=="+att);
  99. //			}
  100. //		}
  101. //		
  102. //		System.out.println("html标签替换=="+replaceHtmlTagOfText(s, "img", "[图片]"));
  103. //		
  104. 		String htmlStr="<html>bb<img style='display:inline;' alt='[挤眼]' src='http://img.t.sinajs.cn/t4/appstyle/expression/ext/normal/c3/zy_thumb.gif' height='22' width='22' />bb<img style='display:inline;' alt='[挤眼]' src='http://img.t.sinajs.cn/t4/appstyle/expression/ext/normal/c3/zy_thumb.gif' height='22' width='22' />aaaa</html>";
  105. 		List<String> srcs=getImgHTML(htmlStr);
  106. 		for (String src : srcs) {
  107. 			System.out.println("======="+src);
  108. 		}
  109. //		System.out.println("=HTMLEncode=="+);
  110. 		
  111. 		
  112. //		List<String> htmls=getImgHTML(htmlStr);
  113. //		List<String> srcs=getImgSrc(htmlStr);
  114. //		
  115. //		System.out.println("--"+htmls.size()+"=="+srcs.size());
  116. //		
  117. //		for (String s : htmls) {
  118. //			System.out.println("----"+s);
  119. //			System.out.print(htmlStr.replaceFirst(s, "[图一]"));
  120. //		}
  121. //		for (String s : srcs) {
  122. //			System.out.println("==="+s);
  123. //		}
  124. 	}
  125. 	
  126. 	/**
  127. 	 * 过滤一下字符串,连同前后< xxx >yyy< / xxx >全部消除。
  128. 	 * 不区分大小写、空格可识别
  129. 	 * <br>"function", "window\\.", "javascript:", "script",
  130. 	 * <br>"js:", "about:", "file:", "document\\.", "vbs:", "frame",
  131. 	 * <br>"cookie", "onclick", "onfinish", "onmouse", "onexit=",
  132. 	 * <br>"onerror", "onclick", "onkey", "onload", "onfocus", "onblur" 
  133. 	 * @param htmlStr
  134. 	 * @return
  135. 	 */
  136. 	public static String filterSafe(String htmlStr){
  137. 		Pattern p = null; // 正则表达式
  138. 		Matcher m = null; // 操作的字符串
  139. 		StringBuffer tmp = null;
  140. 		String str = "";
  141. 		boolean isHave = false;
  142. 		String[] Rstr = { "meta", "script", "object", "embed" };
  143. 		if (htmlStr == null || !(htmlStr.length() > 0)) {
  144. 			return "";
  145. 		}
  146. 		str = htmlStr.toLowerCase();
  147. 		for (int i = 0; i < Rstr.length; i++) {
  148. 			p = Pattern.compile("<" + Rstr[i] + "(.[^>])*>");
  149. 			m = p.matcher(str);
  150. 			tmp = new StringBuffer();
  151. 			if (m.find()) {
  152. 				m.appendReplacement(tmp, "<" + Rstr[i] + ">");
  153. 				while (m.find()) {
  155. 					m.appendReplacement(tmp, "<" + Rstr[i] + ">");
  156. 				}
  157. 				isHave = true;
  158. 			}
  160. 			m.appendTail(tmp);
  161. 			str = tmp.toString();
  163. 			p = Pattern.compile("</" + Rstr[i] + "(.[^>])*>");
  164. 			m = p.matcher(str);
  165. 			tmp = new StringBuffer();
  166. 			if (m.find()) {
  167. 				m.appendReplacement(tmp, "</" + Rstr[i] + ">");
  168. 				while (m.find()) {
  169. 					m.appendReplacement(tmp, "</" + Rstr[i] + ">");
  170. 				}
  171. 				isHave = true;
  172. 			}
  173. 			m.appendTail(tmp);
  174. 			str = tmp.toString();
  176. 		}
  178. 		// System.out.println(str);
  180. 		String[] Rstr1 = { "function", "window\\.", "javascript:", "script",
  181. 				"js:", "about:", "file:", "document\\.", "vbs:", "frame",
  182. 				"cookie", "onclick", "onfinish", "onmouse", "onexit=",
  183. 				"onerror", "onclick", "onkey", "onload", "onfocus", "onblur" };
  185. 		for (int i = 0; i < Rstr1.length; i++) {
  186. 			p = Pattern.compile("<([^<>])*" + Rstr1[i] + "([^<>])*>([^<>])*</([^<>])*>");
  188. 			m = p.matcher(str);
  189. 			tmp = new StringBuffer();
  190. 			if (m.find()) {
  191. 				m.appendReplacement(tmp, "");
  192. 				while (m.find()) {
  193. 					m.appendReplacement(tmp, "");
  194. 				}
  195. 				isHave = true;
  196. 			}
  197. 			m.appendTail(tmp);
  198. 			str = tmp.toString();
  199. 		}
  201. 		if (isHave) {
  202. 			htmlStr = str;
  203. 		}
  205. 		htmlStr = htmlStr.replaceAll("%3C", "<");
  206. 		htmlStr = htmlStr.replaceAll("%3E", ">");
  207. 		htmlStr = htmlStr.replaceAll("%2F", "");
  208. 		htmlStr = htmlStr.replaceAll("&#", "<b>&#</b>");
  209. 		return htmlStr; 
  210. 	}
  212. 	/**
  213. 	 * 采用jsoup白名单方式过滤非法的html字符。
  214. 	 * 原理:
  215. 	 * 1.首先通过白名单过滤掉非法的html标签,即只允许输出白名单内的标签
  216. 	 * 2.对特殊的属性(主要是style)用正则过滤,只允许安全的属性值存在	 
  217. 	 * @param htmlStr 原始的html片段(用户通过富文本编辑器提交的html代码)
  218. 	 * @return 过滤后的安全的html片段
  219. 	 */
  220. 	public static String cleanSafeHtml(String htmlStr) {
  221. 		Document doc = Jsoup.parseBodyFragment(htmlStr);
  222. 		OutputSettings outSet = new OutputSettings();
  223. 		outSet.prettyPrint(false);
  224. 		outSet.outline(false);
  225. 		doc.outputSettings(outSet);
  226. 		Map<String, String> regexMap = initRegexMap(); 
  227. 		if (regexMap != null) {
  228. 			for (Map.Entry<String,String> entiy:regexMap.entrySet()){
  229. 				String key = entiy.getKey();
  230. 				Elements els = doc.select(key);
  231. 				for (Element el:els) {
  232. 					System.out.println("old el:"+el.toString());
  233. 					String attribute = key.substring(key.indexOf("[")+1, key.indexOf("]"));
  234. 					String attributeValue = el.attr(attribute);
  235. 					Matcher valueMatcher = Pattern.compile(entiy.getValue()).matcher(attributeValue);
  236. 					if (valueMatcher.find()) {
  237. 						String safeValue = valueMatcher.group();
  238. 						System.out.println("safeValue:"+safeValue);
  239. 						el.attr(attribute, safeValue);
  240. 					}
  241. 					System.out.println("new el:"+el.toString());
  242. 				}
  243. 			}
  244. 		}
  245. 		Whitelist whitelist = initWhiteList();
  246. 		String safeString = Jsoup.clean(doc.html(), "", whitelist);
  247. 		System.out.println("safestring:"+safeString);
  248. 		return safeString;	
  249. 		
  250. //		Elements els = doc.select("[style]");
  251. //		for (Element el:els) {
  252. //			System.out.println("old el:"+el.toString());
  253. //			String styleattribute = el.attr("style");
  254. //			Matcher styleMatcher = Pattern.compile(styleAttributeRegex).matcher(styleattribute);
  255. //			if (styleMatcher.find()) {
  256. //				String safeStyle = styleMatcher.group();
  257. //				System.out.println("safeStyle:"+safeStyle);
  258. //				el.attr("style", safeStyle);
  259. //			}
  260. //			System.out.println("new el:"+el.toString());
  261. //		}		
  262. //		Whitelist whitelist = Whitelist.relaxed();
  263. //		whitelist.addAttributes("span", "style");
  264. //		String safeString = Jsoup.clean(doc.html(), "", whitelist);
  265. //		System.out.println("safestring:"+safeString);
  266. //		return safeString;	
  267. 	}
  268. 	private static Whitelist whitelist = null;
  269. 	private static Whitelist initWhiteList() {
  270. 		if (whitelist == null) {
  271. 			synchronized(new Object()) {
  272. 				whitelist = new Whitelist();			
  273. 				String jsonString = null;
  274. 				Resource resource = new ClassPathResource("/data/whitelist.conf");
  275. 				File file = null;
  276. 				InputStream input = null;
  277. 				Writer output = null;
  278. 				try {
  279. 					file = resource.getFile();
  280. 					input = new FileInputStream(file);
  281. 					output = new StringWriter();
  282. 					IOUtils.copy(input, output);
  283. 					jsonString = output.toString();			
  284. 				} catch (IOException e) {
  285. 					// TODO Auto-generated catch block
  286. 					e.printStackTrace();
  287. 				}finally {
  288. 					if (input != null) {
  289. 						IOUtils.closeQuietly(input);
  290. 					}
  291. 					if (output != null) {
  292. 						IOUtils.closeQuietly(output);
  293. 					}
  294. 				}
  295. 				JsonConfig config = new JsonConfig();  
  296. 		        config.setIgnoreDefaultExcludes(true);//这里不设置,会把class属性过滤掉
  297. 				JSONObject jsonObject = JSONObject.fromObject(jsonString,config);
  298. 				JSONObject whitelistjson = jsonObject.getJSONObject("whiteList");
  299. 				JSONObject protocolsjson = jsonObject.getJSONObject("protocols");
  301. 				JsonMapper newMapper = new JsonMapper();
  302. 				Map<String, Map<String, String>> whitelistmap = newMapper.fromJson(whitelistjson.toString(), HashMap.class);
  303. 				Map<String, List<String>> protocolsmap = newMapper.fromJson(protocolsjson.toString(), HashMap.class);
  304. 				for (Map.Entry<String, Map<String, String>> entiy:whitelistmap.entrySet()){
  305. 					String tag = entiy.getKey();
  306. 					whitelist.addTags(tag);
  307. 					for (Map.Entry<String,String> entiy2:entiy.getValue().entrySet()){
  308. 						String attribute = entiy2.getKey();
  309. 						whitelist.addAttributes(tag, attribute);				
  310. 						System.out.println("value value:"+entiy2.getValue());				
  311. 					}
  312. 				}
  313. 				for (Map.Entry<String, List<String>> entiy:protocolsmap.entrySet()){
  314. 					String tag = entiy.getKey().substring(0, entiy.getKey().indexOf("."));
  315. 					String key = entiy.getKey().substring(entiy.getKey().indexOf(".")+1, entiy.getKey().length());
  316. 					for (String entiy2:entiy.getValue()){				
  317. 						whitelist.addProtocols(tag, key, entiy2);
  318. 					}
  319. 				}
  320. 			}			
  321. 		}				
  322. 		return whitelist;
  323. 	}
  325. 	private static Map<String, String> regexMap = null;
  326. 	private static Map<String, String> initRegexMap() {
  327. 		if (regexMap == null) {
  328. 			synchronized (new Object()) {
  329. 				regexMap = new HashMap<String, String>();			
  330. 				String jsonString = null;
  331. 				Resource resource = new ClassPathResource("/data/whitelist.conf");
  332. 				File file = null;
  333. 				InputStream input = null;
  334. 				Writer output = null;
  335. 				try {
  336. 					file = resource.getFile();
  337. 					input = new FileInputStream(file);
  338. 					output = new StringWriter();
  339. 					IOUtils.copy(input, output);
  340. 					jsonString = output.toString();			
  341. 				} catch (IOException e) {
  342. 					// TODO Auto-generated catch block
  343. 					e.printStackTrace();
  344. 				}finally {
  345. 					if (input != null) {
  346. 						IOUtils.closeQuietly(input);
  347. 					}
  348. 					if (output != null) {
  349. 						IOUtils.closeQuietly(output);
  350. 					}
  351. 				}
  352. 				JSONObject jsonObject = JSONObject.fromObject(jsonString);
  353. 				JSONObject whitelistjson = jsonObject.getJSONObject("whiteList");
  354. 				JsonMapper newMapper = new JsonMapper();
  355. 				Map<String, Map<String, String>> whitelistmap = newMapper.fromJson(whitelistjson.toString(), HashMap.class);
  356. 				for (Map.Entry<String, Map<String, String>> entiy:whitelistmap.entrySet()){
  357. 					String tag = entiy.getKey();			
  358. 					for (Map.Entry<String,String> entiy2:entiy.getValue().entrySet()){
  359. 						String attribute = entiy2.getKey();
  360. 						String attributeValue = entiy2.getValue();
  361. 						if (attributeValue != null && attributeValue.trim().length() > 0) {
  362. 							regexMap.put(tag+"["+ attribute +"]", attributeValue);
  363. 						}
  364. 					}
  365. 				}
  366. 			}
  367. 		}		
  368. 		return regexMap;
  369. 	}
  371. 	public static String filter(String input) {
  372. 		if (!hasSpecialChars(input)) {
  373. 			return input;
  374. 		}
  375. 		StringBuffer filtered = new StringBuffer(input.length());
  376. 		char c;
  377. 		for (int i = 0; i <= input.length() - 1; i++) {
  378. 			c = input.charAt(i);
  379. 			switch (c) {
  380. 			case '<':
  381. 				filtered.append("<");
  382. 				break;
  383. 			case '>':
  384. 				filtered.append(">");
  385. 				break;
  386. 			case '"':
  387. 				filtered.append("&uot;");
  388. 				break;
  389. 			case '&':
  390. 				filtered.append("&");
  391. 				break;
  392. 			default:
  393. 				filtered.append(c);
  394. 			}
  395. 		}
  396. 		return (filtered.toString());
  397. 	}
  399. 	public static boolean hasSpecialChars(String input) {
  400. 		boolean flag = false;
  401. 		if ((input != null) && (input.length() > 0)) {
  402. 			char c;
  403. 			for (int i = 0; i <= input.length() - 1; i++) {
  404. 				c = input.charAt(i);
  405. 				switch (c) {
  406. 				case '>':
  407. 					flag = true;
  408. 					break;
  409. 				case '<':
  410. 					flag = true;
  411. 					break;
  412. 				case '"':
  413. 					flag = true;
  414. 					break;
  415. 				case '&':
  416. 					flag = true;
  417. 					break;
  419. 				}
  420. 			}
  421. 		}
  422. 		return flag;
  423. 	}
  425. 	/**
  426. 	 * 
  427. 	 * 基本功能:过滤所有以"<"开头以">"结尾的标签
  428. 	 * <p>
  429. 	 * 
  430. 	 * @param str
  431. 	 * @return String
  432. 	 */
  433. 	public static String filterHtml(String str) {
  434. 		Pattern pattern = Pattern.compile(regxpForHtml);
  435. 		Matcher matcher = pattern.matcher(str);
  436. 		StringBuffer sb = new StringBuffer();
  437. 		boolean result1 = matcher.find();
  438. 		while (result1) {
  439. 			matcher.appendReplacement(sb, "");
  440. 			result1 = matcher.find();
  441. 		}
  442. 		matcher.appendTail(sb);
  443. 		return sb.toString();
  444. 	}
  445. 	
  446. 	/**
  447. 	 * 过滤除指定tag之外的html标签
  448. 	 * @param str
  449. 	 * @param tag
  450. 	 * @return
  451. 	 */
  452. 	public static String filterHtmlExceptTag(String str,String tag) {
  453. 		String replaceTag="@"+tag+"@";
  454. 		str=str.replaceAll("<"+tag,replaceTag );
  455. 		str=filterHtml(str);
  456. 		str=str.replaceAll(replaceTag, "<"+tag);
  457. 		
  458. 		return str;
  459. 	}
  461. 	/**
  462. 	 * 
  463. 	 * 基本功能:过滤指定标签
  464. 	 * <p>
  465. 	 * 
  466. 	 * @param str
  467. 	 * @param tag
  468. 	 *            指定标签
  469. 	 * @return String
  470. 	 */
  471. 	public static String fiterHtmlTag(String str, String tag) {
  472. 		String regxp = "<\\s*" + tag + "\\s+([^>]*)\\s*>";
  473. 		Pattern pattern = Pattern.compile(regxp);
  474. 		Matcher matcher = pattern.matcher(str);
  475. 		StringBuffer sb = new StringBuffer();
  476. 		boolean result1 = matcher.find();
  477. 		while (result1) {
  478. 			matcher.appendReplacement(sb, "");
  479. 			result1 = matcher.find();
  480. 		}
  481. 		matcher.appendTail(sb);
  482. 		return sb.toString();
  483. 	}
  485. 	/**
  486. 	 * 
  487. 	 * 基本功能:替换指定的标签
  488. 	 * <p>
  489. 	 * 
  490. 	 * @param str
  491. 	 * @param beforeTag
  492. 	 *            要替换的标签
  493. 	 * @param tagAttrib
  494. 	 *            要替换的标签属性值
  495. 	 * @param startTag
  496. 	 *            新标签开始标记
  497. 	 * @param endTag
  498. 	 *            新标签结束标记
  499. 	 * @return String
  500. 	 * @如:替换img标签的src属性值为[img]属性值[/img]
  501. 	 */
  502. 	public static String replaceHtmlTag(String str, String beforeTag,
  503. 			String tagAttrib, String startTag, String endTag) {
  504. 		String regxpForTag = "<\\s*" + beforeTag + "\\s+([^>]*)\\s*>";
  505. 		String regxpForTagAttrib = tagAttrib + "=\"([^\"]+)\"";
  506. 		Pattern patternForTag = Pattern.compile(regxpForTag);
  507. 		Pattern patternForAttrib = Pattern.compile(regxpForTagAttrib);
  508. 		Matcher matcherForTag = patternForTag.matcher(str);
  509. 		StringBuffer sb = new StringBuffer();
  510. 		boolean result = matcherForTag.find();
  511. 		while (result) {
  512. 			StringBuffer sbreplace = new StringBuffer();
  513. 			Matcher matcherForAttrib = patternForAttrib.matcher(matcherForTag
  514. 					.group(1));
  515. 			if (matcherForAttrib.find()) {
  516. 				matcherForAttrib.appendReplacement(sbreplace, startTag
  517. 						+ matcherForAttrib.group(1) + endTag);
  518. 			}
  519. 			matcherForTag.appendReplacement(sb, sbreplace.toString());
  520. 			result = matcherForTag.find();
  521. 		}
  522. 		matcherForTag.appendTail(sb);
  523. 		return sb.toString();
  524. 	}
  525. 	
  526. 	/**
  527. 	 * html标签替换为指定字符
  528. 	 * @param str
  529. 	 * @param tagAttrib
  530. 	 * @param beforeTag
  531. 	 * @param replace
  532. 	 * @return
  533. 	 */
  534. 	public static String replaceHtmlTagOfText(String str,String tag,String text) {
  535. 		String regxp = "<\\s*" + tag + "\\s+([^>]*)\\s*>";
  536. 		Pattern pattern = Pattern.compile(regxp);
  537. 		Matcher matcher = pattern.matcher(str);
  538. 		StringBuffer sb = new StringBuffer();
  539. 		boolean result1 = matcher.find();
  540. 		while (result1) {
  541. 			matcher.appendReplacement(sb, text);
  542. 			result1 = matcher.find();
  543. 		}
  544. 		matcher.appendTail(sb);
  545. 		return sb.toString();
  546. 	}
  547. 	
  548. 	
  549. 	 /** 
  550.      * 获取指定HTML标签的指定属性的值 
  551.      * @param source 要匹配的源文本 
  552.      * @param element 标签名称 
  553.      * @param attr 标签的属性名称 
  554.      * @return 属性值列表 
  555.      */  
  556.     public static List<String> match(String source, String element, String attr) {  
  557.         List<String> result = new ArrayList<String>();  
  558.         String reg = "<" + element + "[^<>]*?\\s" + attr + "=['\"]?(.*?)['\"]?\\s.*?>";
  559.         Matcher m = Pattern.compile(reg).matcher(source);  
  560.         while (m.find()) {  
  561.             String r = m.group(1);  
  562.             result.add(r);  
  563.         }  
  564.         return result;  
  565.     }
  566.     
  567.     public static List<String> getImgHTML(String html) {
  568.     	List<String> resultList=new ArrayList<String>();
  569.     	Pattern p=Pattern.compile("<img ([^>]*)");//<img开头 >结尾
  570.     	Matcher m=p.matcher(html);//开始编译
  571.     	while (m.find()) {
  572.     		resultList.add("<img "+m.group(1)+">");//获取匹配的部分
  573.     	}
  574.     	
  575.     	return resultList;
  576.     }
  577.     
  578.     public static List<String> getImgSrc(String htmlStr){     
  579.         String img="";     
  580.         Pattern p_image;     
  581.         Matcher m_image;     
  582.         List<String> pics = new ArrayList<String>();  
  583.      
  584.         String regEx_img = "<img.*src=(.*?)[^>]*?>"; //图片链接地址     
  585.         p_image = Pattern.compile   
  586.                 (regEx_img,Pattern.CASE_INSENSITIVE);     
  587.        m_image = p_image.matcher(htmlStr);   
  588.        while(m_image.find()){     
  589.             img = m_image.group();     
  590.             Matcher m  = Pattern.compile("src=\"?(.*?)(\"|>|\\s+)").matcher(img); //匹配src  
  591.             while(m.find()){
  592.                pics.add(m.group(1));  
  593.             }  
  594.         }     
  595.            return pics;     
  596.     }
  597.     
  598.     public static List<String> getImgAlt(String htmlStr){     
  599.         String img="";     
  600.         Pattern p_image;     
  601.         Matcher m_image;     
  602.         List<String> alts = new ArrayList<String>();  
  603.      
  604.         String regEx_img = "<img.*src=(.*?)[^>]*?>"; //图片链接地址     
  605.         p_image = Pattern.compile   
  606.                 (regEx_img,Pattern.CASE_INSENSITIVE);     
  607.        m_image = p_image.matcher(htmlStr);   
  608.        while(m_image.find()){     
  609.             img = m_image.group();     
  610.             Matcher m  = Pattern.compile("alt=\"?(.*?)(\"|>|\\s+)").matcher(img); //匹配src  
  611.             while(m.find()){
  612.             	alts.add(m.group(1));  
  613.             }  
  614.         }     
  615.            return alts;     
  616.     }
  617.     
  618.     /**
  619. 	 * 
  620. 	 * 基本功能:过滤所有以"<"开头以">"结尾的标签,但是替换为空格
  621. 	 * <p>
  622. 	 * 
  623. 	 * @param str
  624. 	 * @return String
  625. 	 */
  626. 	public static String filterHtmlWithSapce(String str) {
  627. 		Pattern pattern = Pattern.compile(regxpForHtml);
  628. 		Matcher matcher = pattern.matcher(str);
  629. 		StringBuffer sb = new StringBuffer();
  630. 		boolean result1 = matcher.find();
  631. 		while (result1) {
  632. 			matcher.appendReplacement(sb, " ");
  633. 			result1 = matcher.find();
  634. 		}
  635. 		matcher.appendTail(sb);
  636. 		return sb.toString();
  637. 	}
  638.     
  639. }


并且贴出一个jsoup的白名单配置文件: 

  1. {
  2. "whiteList":{
  3. "a":{"href":"","title":""},
  4. "b":{},
  5. "blockquote":{"cite":""},
  6. "br":{},
  7. "caption":{},
  8. "cite":{},
  9. "code":{},
  10. "col":{"span":"","width":""},
  11. "colgroup":{"span":"","width":""},
  12. "dd":{},
  13. "div":{},
  14. "dl":{},
  15. "dt":{},
  16. "em":{},
  17. "h1":{},
  18. "h2":{},
  19. "h3":{},
  20. "h4":{},
  21. "h5":{},
  22. "h6":{},
  23. "i":{},
  24. "img":{"align":"", "alt":"", "height":"", "src":"", "title":"", "width":""},
  25. "li":{"class":"","style":"/^text-align:\\s*(left|right|center);?\\s*$/i"},
  26. "ol":{"start":"", "type":""},
  27. "p":{"style":"/^text-align:\\s*(left|right|center);?\\s*$/i"},
  28. "pre":{},
  29. "q":{"cite":""},
  30. "small":{},
  31. "span":{"style":"/^\\s*font-family\\s*:\\s*(('|\\\"|"|')?(楷体|楷体_GB2312|宋体|微软雅黑|黑体|,|\\s|\\w|sans-serif)('|\\\"|"|')?)+;?\\s*|\\s*(color|font-size|background-color)\\s*:\\s*(#\\w*|[\\w\\s]*|rgb\\s*\\(\\s*\\d+\\s*,\\s*\\d+\\s*,\\s*\\d+\\s*\\));?\\s*|\\s*text-decoration\\s*:\\s*(underline|overline|line-through|blink)\\s*;?\\s*$/i"},
  32. "strike":{},
  33. "strong":{},
  34. "sub":{},
  35. "sup":{},
  36. "table":{"summary":"", "width":""},
  37. "tbody":{},
  38. "td":{"abbr":"", "axis":"", "colspan":"", "rowspan":"", "width":""},
  39. "tfoot":{},
  40. "th":{"abbr":"", "axis":"", "colspan":"", "rowspan":"", "scope":"","width":""},
  41. "thead":{},
  42. "tr":{},
  43. "u":{},
  44. "ul":{"type":"","class":"","style":"/^list-style-type:\\s*(decimal|disc);\\s*$/i"}
  45. },
  46. "protocols":{
  47. "a.href":["ftp", "http", "https", "mailto"],
  48. "blockquote.cite":["http", "https"],
  49. "cite.cite":["http", "https"],
  50. "img.src":["http", "https"],
  51. "q.cite":["http", "https"]
  52. }
  53. }

即每个标签的任何属性,属性的值我们都可以进行过滤和定制。

这样,用户输入的任何东西都可以得到我们的控制。

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/凡人多烦事01/article/detail/338602
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号