lsm/hutool
1
0
Fork 0
mirror of https://gitee.com/dromara/hutool.git synced 2025-04-05 17:37:59 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

HtmlUtil中escape方法,增加不断开空格(nbsp)转译,防止xss攻击

Browse Source
This commit is contained in:
Looly 2022-11-28 10:30:10 +08:00
parent c3470ab288
commit c0b6c69497
2 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -3,11 +3,12 @@
-------------------------------------------------------------------------------------------------------------
# 5.8.11.M1 (2022-11-26)
# 5.8.11.M1 (2022-11-28)
### 🐣新特性
* 【core 】 CharUtil.isBlankChar增加\u180epr#2738@Github
* 【core 】 SyncFinisher线程同步结束器添加立即结束方法pr#879@Gitee
* 【core 】 HtmlUtil中escape方法增加不断开空格nbsp转译防止xss攻击pr#2755@Github
*
### 🐞Bug修复
* 【json 】 修复普通byte数组转JSONArray时的异常pr#875@Gitee

26
hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java
View File

@ -118,36 +118,36 @@ public class HtmlUtilTest {
@Test
public void unwrapTest2() {
// 避免移除i却误删img标签的情况
String htmlString = "<html><img src='aaa'><i>测试文本</i></html>";
String tagString = "i,br";
String cleanTxt = HtmlUtil.removeHtmlTag(htmlString, false, tagString.split(","));
final String htmlString = "<html><img src='aaa'><i>测试文本</i></html>";
final String tagString = "i,br";
final String cleanTxt = HtmlUtil.removeHtmlTag(htmlString, false, tagString.split(","));
Assert.assertEquals("<html><img src='aaa'>测试文本</html>", cleanTxt);
}
@Test
public void escapeTest() {
String html = "<html><body>123'123'</body></html>";
String escape = HtmlUtil.escape(html);
final String html = "<html><body>123'123'</body></html>";
final String escape = HtmlUtil.escape(html);
Assert.assertEquals("&lt;html&gt;&lt;body&gt;123&#039;123&#039;&lt;/body&gt;&lt;/html&gt;", escape);
String restoreEscaped = HtmlUtil.unescape(escape);
final String restoreEscaped = HtmlUtil.unescape(escape);
Assert.assertEquals(html, restoreEscaped);
Assert.assertEquals("'", HtmlUtil.unescape("&apos;"));
}
@Test
public void escapeTest2() {
char c = ' '; // 不断开空格non-breaking space缩写nbsp)
final char c = ' '; // 不断开空格non-breaking space缩写nbsp)
Assert.assertEquals(c, 160);
String html = "<html><body> </body></html>";
String escape = HtmlUtil.escape(html);
final String html = "<html><body> </body></html>";
final String escape = HtmlUtil.escape(html);
Assert.assertEquals("&lt;html&gt;&lt;body&gt;&nbsp;&lt;/body&gt;&lt;/html&gt;", escape);
Assert.assertEquals(" ", HtmlUtil.unescape("&nbsp;"));
}
@Test
public void filterTest() {
String html = "<alert></alert>";
String filter = HtmlUtil.filter(html);
final String html = "<alert></alert>";
final String filter = HtmlUtil.filter(html);
Assert.assertEquals("", filter);
}
@ -177,8 +177,8 @@ public class HtmlUtilTest {
@Test
public void removeAllHtmlAttrTest() {
String html = "<div class=\"test_div\" width=\"120\"></div>";
String result = HtmlUtil.removeAllHtmlAttr(html, "div");
final String html = "<div class=\"test_div\" width=\"120\"></div>";
final String result = HtmlUtil.removeAllHtmlAttr(html, "div");
Assert.assertEquals("<div></div>", result);
}
}