I'm writing a servlet-based application in which I need to provide a messaging system. I'm in a rush, so I choose CKEditor to provide editing capabilities, and I currently insert the generated html directly in the web page displaying all messages (messages are stored in a MySQL databse, fyi). CKEditor already filters HTML based on a white list, but a user can still inject malicious code with a POST request, so this is not enough.
A good library already exists to prevent XSS attacks by filtering HTML tags, but it's written in PHP: HTML Purifier
So, is there a similar mature library that can be used in Java ?
A simple string replacement based on a white list doesn't seem to be enough, since I'd like to filter malformed tags too (which could alter the design of the page on which the message is displayed).
If there isn't, then how should I proceed? An XML parser seems overkill.
Note: There are a lot of questions about this on SO, but all the answers refer to filter ALL HTML tags: I want to keep valid formatting tags.
解决方案
796
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
