html防止注入转译，增加不断开空格（nbsp）转译

2025-04-19 03:01:48 +08:00 · 2022-11-24 10:53:32 +08:00 · 2022-11-24 10:53:32 +08:00 · 31bcd02732
commit 31bcd02732
parent c72757b813
4 changed files with 17 additions and 5 deletions
--- a/hutool-core/src/main/java/cn/hutool/core/text/StrPool.java
+++ b/hutool-core/src/main/java/cn/hutool/core/text/StrPool.java
@ -176,7 +176,7 @@ public interface StrPool {


 	/**
-	 * 字符串常量：HTML 空格转义 {@code "&nbsp;" -> " "}
+	 * 字符串常量：HTML 不间断空格转义 {@code "&nbsp;" -> " "}
 	 */
 	String HTML_NBSP = XmlUtil.NBSP;

--- a/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java
+++ b/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java
@ -67,7 +67,7 @@ import java.util.Map;
 public class XmlUtil {

 	/**
-	 * 字符串常量：XML 空格转义 {@code "&nbsp;" -> " "}
+	 * 字符串常量：XML 不间断空格转义 {@code "&nbsp;" -> " "}
 	 */
 	public static final String NBSP = "&nbsp;";

--- a/hutool-http/src/main/java/cn/hutool/http/HtmlUtil.java
+++ b/hutool-http/src/main/java/cn/hutool/http/HtmlUtil.java
@ -26,10 +26,11 @@ public class HtmlUtil {
 	public static final String RE_HTML_MARK = "(<[^<]*?>)|(<[\\s]*?/[^<]*?>)|(<[^<]*?/[\\s]*?>)";
 	public static final String RE_SCRIPT = "<[\\s]*?script[^>]*?>.*?<[\\s]*?\\/[\\s]*?script[\\s]*?>";

-	private static final char[][] TEXT = new char[64][];
+	private static final char[][] TEXT = new char[256][];

 	static {
-		for (int i = 0; i < 64; i++) {
+		// ascii码值最大的是【0x7f=127】，扩展ascii码值最大的是【0xFF=255】，因为ASCII码使用指定的7位或8位二进制数组合来表示128或256种可能的字符，标准ASCII码也叫基础ASCII码。
+		for (int i = 0; i < 256; i++) {
 			TEXT[i] = new char[] { (char) i };
 		}

@ -39,6 +40,7 @@ public class HtmlUtil {
 		TEXT['&'] = AMP.toCharArray(); // &符
 		TEXT['<'] = LT.toCharArray(); // 小于号
 		TEXT['>'] = GT.toCharArray(); // 大于号
+		TEXT[' '] = NBSP.toCharArray(); // 不断开空格（non-breaking space，缩写nbsp。ASCII值是32：是用键盘输入的空格；ASCII值是160：不间断空格，即 &nbsp，所产生的空格，作用是在页面换行时不被打断）
 	}

 	/**
@ -190,7 +192,7 @@ public class HtmlUtil {
 		char c;
 		for (int i = 0; i < len; i++) {
 			c = text.charAt(i);
-			if (c < 64) {
+			if (c < 256) {
 				buffer.append(TEXT[c]);
 			} else {
 				buffer.append(c);
--- a/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java
+++ b/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java
@ -134,6 +134,16 @@ public class HtmlUtilTest {
 		Assert.assertEquals("'", HtmlUtil.unescape("&apos;"));
 	}

+	@Test
+	public void escapeTest2() {
+		char c = ' '; // 不断开空格（non-breaking space，缩写nbsp。)
+		Assert.assertEquals(c, 160);
+		String html = "<html><body> </body></html>";
+		String escape = HtmlUtil.escape(html);
+		Assert.assertEquals("&lt;html&gt;&lt;body&gt;&nbsp;&lt;/body&gt;&lt;/html&gt;", escape);
+		Assert.assertEquals(" ", HtmlUtil.unescape("&nbsp;"));
+	}
+
 	@Test
 	public void filterTest() {
 		String html = "<alert></alert>";