diff --git a/CHANGELOG.md b/CHANGELOG.md
index 82302c129..dafe8d322 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,11 +3,12 @@
-------------------------------------------------------------------------------------------------------------
-# 5.8.11.M1 (2022-11-26)
+# 5.8.11.M1 (2022-11-28)
### 🐣新特性
* 【core 】 CharUtil.isBlankChar增加\u180e(pr#2738@Github)
* 【core 】 SyncFinisher线程同步结束器添加立即结束方法(pr#879@Gitee)
+* 【core 】 HtmlUtil中escape方法,增加不断开空格(nbsp)转译,防止xss攻击(pr#2755@Github)
*
### 🐞Bug修复
* 【json 】 修复普通byte数组转JSONArray时的异常(pr#875@Gitee)
diff --git a/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java b/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java
index 9cbaf4055..4685bedf8 100644
--- a/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java
+++ b/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java
@@ -118,36 +118,36 @@ public class HtmlUtilTest {
@Test
public void unwrapTest2() {
// 避免移除i却误删img标签的情况
- String htmlString = "
测试文本";
- String tagString = "i,br";
- String cleanTxt = HtmlUtil.removeHtmlTag(htmlString, false, tagString.split(","));
+ final String htmlString = "测试文本";
+ final String tagString = "i,br";
+ final String cleanTxt = HtmlUtil.removeHtmlTag(htmlString, false, tagString.split(","));
Assert.assertEquals("测试文本", cleanTxt);
}
@Test
public void escapeTest() {
- String html = "123'123'";
- String escape = HtmlUtil.escape(html);
+ final String html = "123'123'";
+ final String escape = HtmlUtil.escape(html);
Assert.assertEquals("<html><body>123'123'</body></html>", escape);
- String restoreEscaped = HtmlUtil.unescape(escape);
+ final String restoreEscaped = HtmlUtil.unescape(escape);
Assert.assertEquals(html, restoreEscaped);
Assert.assertEquals("'", HtmlUtil.unescape("'"));
}
@Test
public void escapeTest2() {
- char c = ' '; // 不断开空格(non-breaking space,缩写nbsp。)
+ final char c = ' '; // 不断开空格(non-breaking space,缩写nbsp。)
Assert.assertEquals(c, 160);
- String html = " ";
- String escape = HtmlUtil.escape(html);
+ final String html = " ";
+ final String escape = HtmlUtil.escape(html);
Assert.assertEquals("<html><body> </body></html>", escape);
Assert.assertEquals(" ", HtmlUtil.unescape(" "));
}
@Test
public void filterTest() {
- String html = "";
- String filter = HtmlUtil.filter(html);
+ final String html = "";
+ final String filter = HtmlUtil.filter(html);
Assert.assertEquals("", filter);
}
@@ -177,8 +177,8 @@ public class HtmlUtilTest {
@Test
public void removeAllHtmlAttrTest() {
- String html = "";
- String result = HtmlUtil.removeAllHtmlAttr(html, "div");
+ final String html = "";
+ final String result = HtmlUtil.removeAllHtmlAttr(html, "div");
Assert.assertEquals("", result);
}
}