org.tinygroup.weblayer.webcontext.parser.impl
类 HTMLInputFilter

java.lang.Object
  org.tinygroup.weblayer.webcontext.parser.impl.HTMLInputFilter

public class HTMLInputFilter
extends Object

HTML filtering utility for protecting against XSS (Cross Site Scripting).

This code is licensed under a Creative Commons Attribution-ShareAlike 2.5 License http://creativecommons.org/licenses/by-sa/2.5/

This code is a Java port of the original work in PHP by Cal Hendersen. http://code.iamcal.com/php/lib_filter/

The trickiest part of the translation was handling the differences in regex handling between PHP and Java. These resources were helpful in the process:

• http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
• http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
• http://www.regular-expressions.info/modifiers.html

A note on naming conventions: instance variables are prefixed with a "v"; global constants are in all caps.

 Sample use:
 String input = ...
 String clean = new HTMLInputFilter().filter( input );
 

If you find bugs or have suggestions on improvement (especially regarding perfomance), please contact me at the email below. The latest version of this source can be found at

• http://josephoconnell.com/java/xss-html-filter/

做了如下修改：

• 效率改进：顺序搜索变为搜索Set。
• 效率改进：预编译正则表达式patterns。
• 效率改进：避免了同步操作。
• 修改了构造函数，配合service进行配置。
• 修正了输入中包含$时出错的bug。

版本：

1.0

作者：

Joseph O'Connell , Michael Zhou

字段摘要

protected static boolean	ALWAYS_MAKE_TAGS flag determining whether to try to make tags when presented with "unbalanced" angle brackets (e.g.
protected static org.slf4j.Logger	log
protected static int	REGEX_FLAGS_SI regex flag union representing /si modifiers in php *
protected static boolean	STRIP_COMMENTS flag determing whether comments are allowed in input String.
protected Map	vAllowed set of allowed html elements, along with allowed attributes for each element *
protected Set	vAllowedEntities entities allowed within html markup *
protected Set	vAllowedProtocols allowed protocols *
protected Set	vDeniedTags set of denied html elements *
protected Set	vNeedClosingTags html elements which must always have separate opening and closing tags (e.g.
protected Set	vProtocolAtts attributes which should be checked for valid protocols *
protected Set	vRemoveBlanks tags which should be removed if they contain no content (e.g.
protected Set	vSelfClosingTags html elements which must always be self-closing (e.g.

构造方法摘要

HTMLInputFilter()

HTMLInputFilter(Map allowed, String[] deniedTags, String[] selfClosingTags, String[] needClosingTags, String[] allowedProtocols, String[] protocolAtts, String[] removeBlanks, String[] allowedEntities)

方法摘要

static String	chr(int decimal)
String	filter(String input) given a user submitted input String, filter out any invalid or restricted html.
String	filter(String input, boolean isHtml)
static String	htmlSpecialChars(String s)

从类 java.lang.Object 继承的方法

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

字段详细信息

ALWAYS_MAKE_TAGS

protected static final boolean ALWAYS_MAKE_TAGS

flag determining whether to try to make tags when presented with "unbalanced" angle brackets (e.g. "" becomes " text "). If set to false, unbalanced angle brackets will be html escaped.

另请参见：

常量字段值

STRIP_COMMENTS

protected static final boolean STRIP_COMMENTS

flag determing whether comments are allowed in input String.

另请参见：

常量字段值

REGEX_FLAGS_SI

protected static final int REGEX_FLAGS_SI

regex flag union representing /si modifiers in php *

另请参见：

常量字段值

vAllowed

protected final Map vAllowed

set of allowed html elements, along with allowed attributes for each element *

vDeniedTags

protected final Set vDeniedTags

set of denied html elements *

vSelfClosingTags

protected final Set vSelfClosingTags

html elements which must always be self-closing (e.g. "") *

vNeedClosingTags

protected final Set vNeedClosingTags

html elements which must always have separate opening and closing tags (e.g. "") *

vProtocolAtts

protected final Set vProtocolAtts

attributes which should be checked for valid protocols *

vAllowedProtocols

protected final Set vAllowedProtocols

allowed protocols *

vRemoveBlanks

protected final Set vRemoveBlanks

tags which should be removed if they contain no content (e.g. "" or "") *

vAllowedEntities

protected final Set vAllowedEntities

entities allowed within html markup *

log

protected static final org.slf4j.Logger log

构造方法详细信息

HTMLInputFilter

public HTMLInputFilter()

HTMLInputFilter

public HTMLInputFilter(Map allowed,
                       String[] deniedTags,
                       String[] selfClosingTags,
                       String[] needClosingTags,
                       String[] allowedProtocols,
                       String[] protocolAtts,
                       String[] removeBlanks,
                       String[] allowedEntities)

方法详细信息

chr

public static String chr(int decimal)

htmlSpecialChars

public static String htmlSpecialChars(String s)

filter

public String filter(String input)

given a user submitted input String, filter out any invalid or restricted html.

参数：

input - text (i.e. submitted by a user) than may contain html

返回：

"clean" version of input, with only valid, whitelisted html elements allowed

filter

public String filter(String input,
                     boolean isHtml)