gpt4 book ai didi

Java:Owasp AntiSamy 与 Owasp-java-html-sanitize

转载 作者:塔克拉玛干 更新时间:2023-11-03 02:51:22 26 4
gpt4 key购买 nike

我现在正在寻找 html 净化器库。而且我发现有两个“owasp”库。首先是 https://code.google.com/p/owasp-java-html-sanitizer/第二个是https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project .

我的问题是 - 比较它们的优缺点是什么。

最佳答案

OWASP java html sanitizer 是比 antisamy 更新的项目。这些项目的目标是相同的——清理 HTML 以防止 XSS 并过滤掉其他不需要的内容。然而他们的方法是不同的。每种方法都有其权衡,因此您应该根据您的要求选择解决方案。简而言之,html sanitizer 使用起来更简单,速度更快,另一方面,它的灵 active 较低。但是对于大多数用户来说应该足够好了。请注意,antisamy 不仅可以处理 html,还可以处理 css。

Here is message来自 owasp 邮件列表,请求创建 HTML sanitizer 项目,包括它的一些优点和与 antisamy 的区别的列表。

I would like to start a new OWASP project that is very similar to AntiSamy.

I would like to call this project the "OWASP Java HTML Sanitizer" and have code available already at:

https://code.google.com/p/owasp-java-html-sanitizer/

This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.

  1. This code provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode
  2. Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
  3. It does not suffer from the various security flaws that the Niko HTML parser brought with it
  4. Actively maintained by myself and Mike Samuel from Google's AppSec team
  5. Already passing 80% of AntiSamy's unit tests plus many more.
  6. Only 3 dependent jar files
  7. This is a pure Java 6 project and does not support Java 5 or below ( Please note AntiSamy supports 1.4+ ).

We are currently at Alpha right now - but will be production ready and soon.

Sample programmatic policy example:

     // A VERY SIMPLE WHITELISTING POLICY
final ImmutableSet<String> okTags = ImmutableSet.of(
"a", "b", "br", "div", "i", "img", "input", "li",
"ol", "p", "span", "ul");

final ImmutableSet<String> okAttrs = ImmutableSet.of(
"div", "checked", "class", "href", "id", "target", "title", "type");

What do you think? Is a little respectful competition a good thing?

  • Jim

关于Java:Owasp AntiSamy 与 Owasp-java-html-sanitize,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28577738/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com