Open Fermiz opened 4 years ago
Great insight @Fermiz! You described my current issue better than I could, thanks!
I've found this question on SO which helped and my code now seems to work using this:
safelist.addAttributes("img", "height", "src", "width");
safelist.addProtocols("img", "src", "http", "https", "data");
In hope this helps someone in the future Best
Recently I want to do a feature to anti XSS, using Jsoup Cleaner, the requirement is: only supports url which starts with
http
,https
ordata:image
(base64 image);I use the following code like:
I found it works well with ordinary urls, but removed
src
attribute which contains base64 image ; I look into the source code, found that it compare urls in this way:the extra
:
makesdata:image:
setting not match;but if I set it into
("http", "https", "data")
, other data url likedata:text/html, <script>alert('xss')</script>
would be allowed, which is dangerous.I have to override the
isSafeAttribute(String tagName, Element el, Attribute attr)
method to implement my requirement.Is there any better ideas?