我想从我的 HTML 中过滤所有输入标签的内容。我正在使用 AntiSamy 过滤器,到目前为止,我的过滤器正在过滤掉完整的 html 内容(而不仅仅是输入值)。
我正在使用此处提供的实现:
在 doFilter 方法中,我使用这段代码来扫描内容
HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
而我想要的是:
CleanResults cleanResults = antiSamy.scan(request.getParameter("input"), policy);
这样只过滤输入字段的内容。
这是整个 doFilter 方法:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (response instanceof HttpServletResponse) {
HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
HttpServletResponse proxiedResponse = httpResponseProxyFactory.build(invocationHandler);
chain.doFilter(request, proxiedResponse);
if ("text/html;charset=UTF-8".equals(proxiedResponse.getContentType())) {
try {
Policy policy = policyFileLoader.load(policyFile);
antiSamy.setInputEncoding(inputEncoding);
antiSamy.setOutputEncoding(outputEncoding);
CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
log.info("Number of Errors: " + cleanResults.getNumberOfErrors());
if (log.isDebugEnabled()) {
log.debug("Errors found: ");
List errors = cleanResults.getErrorMessages();
for (int i = 0; i < errors.size(); i++) {
log.debug("\t" + (i + 1) + ". " + errors.get(i));
}
}
log.info("Scan time (in seconds): " + cleanResults.getScanTime());
response.getOutputStream().write(cleanResults.getCleanHTML().getBytes());
} catch (ScanException e) {
log.error(GENERIC_ERROR, e);
} catch (PolicyException e) {
log.error(GENERIC_ERROR, e);
}
} else {
response.getOutputStream().write(invocationHandler.getBytes());
}
} else {
chain.doFilter(request, response);
}
}
我已经在 AntiSamy 默认提供的所有策略文件上进行了尝试。
如果能在这方面得到一些帮助,那就太好了。