我现在正在寻找 html 净化器库。而且我发现有两个“owasp”库。首先是 https://code.google.com/p/owasp-java-html-sanitizer/第二个是https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project .
我的问题是 - 比较它们的优缺点是什么。
最佳答案
OWASP java html sanitizer 是比 antisamy 更新的项目。这些项目的目标是相同的——清理 HTML 以防止 XSS 并过滤掉其他不需要的内容。然而他们的方法是不同的。每种方法都有其权衡,因此您应该根据您的要求选择解决方案。简而言之,html sanitizer 使用起来更简单,速度更快,另一方面,它的灵 active 较低。但是对于大多数用户来说应该足够好了。请注意,antisamy 不仅可以处理 html,还可以处理 css。
Here is message来自 owasp 邮件列表,请求创建 HTML sanitizer 项目,包括它的一些优点和与 antisamy 的区别的列表。
I would like to start a new OWASP project that is very similar to AntiSamy.
I would like to call this project the "OWASP Java HTML Sanitizer" and have code available already at:
https://code.google.com/p/owasp-java-html-sanitizer/
This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
- This code provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode
- Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
- It does not suffer from the various security flaws that the Niko HTML parser brought with it
- Actively maintained by myself and Mike Samuel from Google's AppSec team
- Already passing 80% of AntiSamy's unit tests plus many more.
- Only 3 dependent jar files
- This is a pure Java 6 project and does not support Java 5 or below ( Please note AntiSamy supports 1.4+ ).
We are currently at Alpha right now - but will be production ready and soon.
Sample programmatic policy example:
// A VERY SIMPLE WHITELISTING POLICY final ImmutableSet<String> okTags = ImmutableSet.of( "a", "b", "br", "div", "i", "img", "input", "li", "ol", "p", "span", "ul"); final ImmutableSet<String> okAttrs = ImmutableSet.of( "div", "checked", "class", "href", "id", "target", "title", "type");
What do you think? Is a little respectful competition a good thing?
- Jim
关于Java:Owasp AntiSamy 与 Owasp-java-html-sanitize,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28577738/