Springboot ReqeustBody 输入验证 HTML 元素

仅使用正则表达式不足以阻止 Html 元素，因此，您可以使用一些库作为 OWASP java html 清理程序来删除潜在的危险内容。

1. 添加依赖：

   <!-- https://mvnrepository.com/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer -->
   <dependency>
       <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
       <artifactId>owasp-java-html-sanitizer</artifactId>
       <version>20220608.1</version>
   </dependency>
   

2. 创建用于验证的批注

   @Documented 
   @Constraint(validatedBy = HtmlSanitizerValidator.class) 
   @Target({ElementType.FIELD, ElementType.PARAMETER}) 
   @Retention(RetentionPolicy.RUNTIME) 
   public @interface SanitizeHtml { 
       String message() default "not allowed!!"; 
       Class<?>[] groups() default {}; 
       Class<? extends Payload>[] payload() default {}; 
   }
   

3. 为注释创建验证程序

   public class HtmlSanitizerValidator implements ConstraintValidator<SanitizeHtml, String> { 
       @Override 
       public boolean isValid(String untrustedHTML, ConstraintValidatorContext context) {
           if (untrustedHTML == null) { return true; }
   
           PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
           String safeHTML = policy.sanitize(untrustedHTML);
   
           return untrustedHTML.equals(safeHTML); //if true, this means there is no HTML content, but false means there have been an attack!! 
       } 
   }
   

4. 为您的字段使用注释：

   public class yourDto { 
       @SanitizeHtml 
       private String name; 
   
       @SanitizeHtml 
       private String value; 
   }
   

希望这对你有所帮助！

铌： 只要确保如果你想在你的safeHTML中允许Html标签，但要确保它显示为纯文本而不执行任何有害的代码，你可以使用它（注意依赖关系）：

String safeHTML = Encode.forHtml(untrustedHTML)

而不是：

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
String safeHTML = policy.sanitize(untrustedHTML); 

这是 Github 存储库，用于更多： https://github.com/OWASP/java-html-sanitizer