HtmlUtil中escape方法，增加不断开空格（nbsp）转译，防止xss攻击

2025-04-05 17:37:59 +08:00 · 2022-11-28 10:30:10 +08:00 · 2022-11-28 10:30:10 +08:00 · c0b6c69497
commit c0b6c69497
parent c3470ab288
2 changed files with 15 additions and 14 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,11 +3,12 @@
 -------------------------------------------------------------------------------------------------------------
-# 5.8.11.M1 (2022-11-26)
+# 5.8.11.M1 (2022-11-28)
 ### 🐣新特性
 * 【core  】      CharUtil.isBlankChar增加\u180e（pr#2738@Github）
 * 【core  】      SyncFinisher线程同步结束器添加立即结束方法（pr#879@Gitee）
 * 【core  】      HtmlUtil中escape方法，增加不断开空格（nbsp）转译，防止xss攻击（pr#2755@Github）
 * 
 ### 🐞Bug修复
 * 【json  】      修复普通byte数组转JSONArray时的异常（pr#875@Gitee）
--- a/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java
+++ b/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java
@ -118,36 +118,36 @@ public class HtmlUtilTest {
 	@Test
 	public void unwrapTest2() {
 		// 避免移除i却误删img标签的情况
-		String htmlString = "<html><img src='aaa'><i>测试文本</i></html>";
+		final String htmlString = "<html><img src='aaa'><i>测试文本</i></html>";
-		String tagString = "i,br";
+		final String tagString = "i,br";
-		String cleanTxt = HtmlUtil.removeHtmlTag(htmlString, false, tagString.split(","));
+		final String cleanTxt = HtmlUtil.removeHtmlTag(htmlString, false, tagString.split(","));
 		Assert.assertEquals("<html><img src='aaa'>测试文本</html>", cleanTxt);
 	}
 	@Test
 	public void escapeTest() {
-		String html = "<html><body>123'123'</body></html>";
+		final String html = "<html><body>123'123'</body></html>";
-		String escape = HtmlUtil.escape(html);
+		final String escape = HtmlUtil.escape(html);
 		Assert.assertEquals("&lt;html&gt;&lt;body&gt;123&#039;123&#039;&lt;/body&gt;&lt;/html&gt;", escape);
-		String restoreEscaped = HtmlUtil.unescape(escape);
+		final String restoreEscaped = HtmlUtil.unescape(escape);
 		Assert.assertEquals(html, restoreEscaped);
 		Assert.assertEquals("'", HtmlUtil.unescape("&apos;"));
 	}
 	@Test
 	public void escapeTest2() {
-		char c = ' '; // 不断开空格（non-breaking space，缩写nbsp。)
+		final char c = ' '; // 不断开空格（non-breaking space，缩写nbsp。)
 		Assert.assertEquals(c, 160);
-		String html = "<html><body> </body></html>";
+		final String html = "<html><body> </body></html>";
-		String escape = HtmlUtil.escape(html);
+		final String escape = HtmlUtil.escape(html);
 		Assert.assertEquals("&lt;html&gt;&lt;body&gt;&nbsp;&lt;/body&gt;&lt;/html&gt;", escape);
 		Assert.assertEquals(" ", HtmlUtil.unescape("&nbsp;"));
 	}
 	@Test
 	public void filterTest() {
-		String html = "<alert></alert>";
+		final String html = "<alert></alert>";
-		String filter = HtmlUtil.filter(html);
+		final String filter = HtmlUtil.filter(html);
 		Assert.assertEquals("", filter);
 	}
@ -177,8 +177,8 @@ public class HtmlUtilTest {
 	@Test
 	public void removeAllHtmlAttrTest() {
-		String html = "<div class=\"test_div\" width=\"120\"></div>";
+		final String html = "<div class=\"test_div\" width=\"120\"></div>";
-		String result = HtmlUtil.removeAllHtmlAttr(html, "div");
+		final String result = HtmlUtil.removeAllHtmlAttr(html, "div");
 		Assert.assertEquals("<div></div>", result);
 	}
 }