问题
I have some input containing HTML like <br> <b> <i> etc. I need a way to escape only the "bad" HTML that exposes my site to XSS etc.
After hours of Googeling I found the GWT which looks kinda promising.
What is the recommended way to escape bad HTML?
Edit:
Let me clear things up.
I am using a javascript text editor which outputs html. Wouldn't it be much easier if i use something like bbcode?
回答1:
Google caja is a tool for making third party HTML, CSS and JavaScript safe to embed in your website.
回答2:
OWASP AntiSamy is a project for just that. If you need users to be able to submit structured text, look at markdown (imho a lot better than BBCode).
回答3:
Playframework 2 already offers a solution.
the @Html() function filters bad html, which is really nice.
I really love play2
回答4:
You might want to just escape all html. If you want to have users be able to use basic html tags like <b> or <i> then you could just replace them with [b] and [i] (if your forum/whatever you're creating can use bbcode), then just replace all "<" and ">" with "<" and ">".
来源:https://stackoverflow.com/questions/12188763/safe-html-in-java