You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Recently I want to do a feature to anti XSS, using Jsoup Cleaner, the requirement is: only supports url which starts with http, https or data:image (base64 image);
I found it works well with ordinary urls, but removed src attribute which contains base64 image ; I look into the source code, found that it compare urls in this way:
url.startWith(protocol:xxxxxx)
the extra : makes data:image: setting not match;
but if I set it into ("http", "https", "data"), other data url like data:text/html, <script>alert('xss')</script> would be allowed, which is dangerous.
I have to override the isSafeAttribute(String tagName, Element el, Attribute attr) method to implement my requirement.
Is there any better ideas?
The text was updated successfully, but these errors were encountered:
Recently I want to do a feature to anti XSS, using Jsoup Cleaner, the requirement is: only supports url which starts with
http
,https
ordata:image
(base64 image);I use the following code like:
I found it works well with ordinary urls, but removed
src
attribute which contains base64 image ; I look into the source code, found that it compare urls in this way:the extra
:
makesdata:image:
setting not match;but if I set it into
("http", "https", "data")
, other data url likedata:text/html, <script>alert('xss')</script>
would be allowed, which is dangerous.I have to override the
isSafeAttribute(String tagName, Element el, Attribute attr)
method to implement my requirement.Is there any better ideas?
The text was updated successfully, but these errors were encountered: