Python Django开发中XSS内容过滤问题的解决
from:http://stackoverflow.com/questions/699468/python-html-sanitizer-scrubber-filter
通过下面这个代码就可以把内容过滤成干净的HTML内容,说明,这个代码来自上面Stackoverflow的回答
Use lxml.html.clean
! It's VERY easy!
from lxml.html.clean import clean_html print clean_html(html)
<html> <head> <script type="text/javascript" src="evil-site"></script> <link rel="alternate" type="text/rss" src="evil-rss"> <style> body {background-image: url(javascript:do_evil)}; div {color: expression(evil)}; </style> </head> <body onload="evil_function()"> <!-- I am interpreted for EVIL! --> <a href="javascript:evil_function()">a link</a> <a href="#" onclick="evil_function()">another link</a> <p onclick="evil_function()">a paragraph</p> <div style="display: none">secret EVIL!</div> <object> of EVIL! </object> <iframe src="evil-site"></iframe> <form action="evil-site"> Password: <input type="password" name="password"> </form> <blink>annoying EVIL!</blink> <a href="evil-site">spam spam SPAM!</a> <image src="evil!"> </body> </html>
结果是:
<html> <body> <div> <style>/* deleted */</style> <a href="">a link</a> <a href="#">another link</a> <p>a paragraph</p> <div>secret EVIL!</div> of EVIL! Password: annoying EVIL! <a href="evil-site">spam spam SPAM!</a> <img src="evil!"> </div> </body> </html>
You can customize the elements you want to clean and whatnot.
关于Web开发中的安全过滤问题,摘引一下OWASP的ESAPI( http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html )的过滤方法接口列表,以供大家有所参考:
Java.lang.String canonicalize(java.lang.String input)
This method is equivalent to calling
java.lang.String canonicalize(java.lang.String input, boolean strict)
This method is the equivalent to calling
java.lang.String canonicalize(java.lang.String input, boolean restrictMultiple, boolean restrictMixed)
Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form.
java.lang.String decodeForHTML(java.lang.String input)
Decodes HTML entities.
byte[] decodeFromBase64(java.lang.String input)
Decode data encoded with BASE-64 encoding.
java.lang.String decodeFromURL(java.lang.String input)
Decode from URL.
java.lang.String encodeForBase64(byte[] input, boolean wrap)
Encode for Base64.
java.lang.String encodeForCSS(java.lang.String input)
Encode data for use in Cascading Style Sheets (CSS) content.
java.lang.String encodeForDN(java.lang.String input)
Encode data for use in an LDAP distinguished name.
java.lang.String encodeForHTML(java.lang.String input)
Encode data for use in HTML using HTML entity encoding
java.lang.String encodeForHTMLAttribute(java.lang.String input)
Encode data for use in HTML attributes.
java.lang.String encodeForJavaScript(java.lang.String input)
Encode data for insertion inside a data value or function argument in JavaScript.
java.lang.String encodeForLDAP(java.lang.String input)
Encode data for use in LDAP queries.
java.lang.String encodeForOS(Codec codec, java.lang.String input)
Encode for an operating system command shell according to the selected codec (appropriate codecs include the WindowsCodec and UnixCodec).
java.lang.String encodeForSQL(Codec codec, java.lang.String input)
Encode input for use in a SQL query, according to the selected codec (appropriate codecs include the MySQLCodec and OracleCodec).
java.lang.String encodeForURL(java.lang.String input)
Encode for use in a URL.
java.lang.String encodeForVBScript(java.lang.String input)
Encode data for insertion inside a data value in a Visual Basic script.
java.lang.String encodeForXML(java.lang.String input)
Encode data for use in an XML element.
java.lang.String encodeForXMLAttribute(java.lang.String input)
Encode data for use in an XML attribute.
java.lang.String encodeForXPath(java.lang.String input)
Encode data for use in an XPath query.
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 没有源码,如何修改代码逻辑?
· 一个奇形怪状的面试题:Bean中的CHM要不要加volatile?
· [.NET]调用本地 Deepseek 模型
· 一个费力不讨好的项目,让我损失了近一半的绩效!
· .NET Core 托管堆内存泄露/CPU异常的常见思路
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· 没有源码,如何修改代码逻辑?
· NetPad:一个.NET开源、跨平台的C#编辑器
· PowerShell开发游戏 · 打蜜蜂
· 凌晨三点救火实录:Java内存泄漏的七个神坑,你至少踩过三个!