问题
I need to sanitize user inputs of malicious html & submitted by CKEditor. I currently use owasp-java-html-sanitizer. for this purpose but it removes embedded iframes as well. But I have genuine use cases like embedding a YouTube video or slide share presentation within posts.
How could I allow such embedded iframes safely? I use Java.
回答1:
You will need to allow the iframe element and source attribute to your Html policy. You can do it like the following example modified from the java doc
// Define the policy.
Function<HtmlStreamEventReceiver, HtmlSanitizer.Policy> policy
= new HtmlPolicyBuilder()
.allowElements("a", "p", "iframe")
.allowAttributes("href").onElements("a")
.allowAttributes("source").onElements("iframe")
.toFactory();
// Sanitize your output.
HtmlSanitizer.sanitize(myHtml, policy.apply(myHtmlStreamRenderer));
来源:https://stackoverflow.com/questions/25341980/sanitize-user-submitted-html-but-keep-safe-embedded-iframes