From c0b6c69497a77d4b1dc7de90c54127f54a8e971e Mon Sep 17 00:00:00 2001 From: Looly Date: Mon, 28 Nov 2022 10:30:10 +0800 Subject: [PATCH] =?UTF-8?q?HtmlUtil=E4=B8=ADescape=E6=96=B9=E6=B3=95?= =?UTF-8?q?=EF=BC=8C=E5=A2=9E=E5=8A=A0=E4=B8=8D=E6=96=AD=E5=BC=80=E7=A9=BA?= =?UTF-8?q?=E6=A0=BC=EF=BC=88nbsp=EF=BC=89=E8=BD=AC=E8=AF=91=EF=BC=8C?= =?UTF-8?q?=E9=98=B2=E6=AD=A2xss=E6=94=BB=E5=87=BB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 3 ++- .../java/cn/hutool/http/HtmlUtilTest.java | 26 +++++++++---------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82302c129..dafe8d322 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,11 +3,12 @@ ------------------------------------------------------------------------------------------------------------- -# 5.8.11.M1 (2022-11-26) +# 5.8.11.M1 (2022-11-28) ### 🐣新特性 * 【core 】 CharUtil.isBlankChar增加\u180e(pr#2738@Github) * 【core 】 SyncFinisher线程同步结束器添加立即结束方法(pr#879@Gitee) +* 【core 】 HtmlUtil中escape方法,增加不断开空格(nbsp)转译,防止xss攻击(pr#2755@Github) * ### 🐞Bug修复 * 【json 】 修复普通byte数组转JSONArray时的异常(pr#875@Gitee) diff --git a/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java b/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java index 9cbaf4055..4685bedf8 100644 --- a/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java +++ b/hutool-http/src/test/java/cn/hutool/http/HtmlUtilTest.java @@ -118,36 +118,36 @@ public class HtmlUtilTest { @Test public void unwrapTest2() { // 避免移除i却误删img标签的情况 - String htmlString = "测试文本"; - String tagString = "i,br"; - String cleanTxt = HtmlUtil.removeHtmlTag(htmlString, false, tagString.split(",")); + final String htmlString = "测试文本"; + final String tagString = "i,br"; + final String cleanTxt = HtmlUtil.removeHtmlTag(htmlString, false, tagString.split(",")); Assert.assertEquals("测试文本", cleanTxt); } @Test public void escapeTest() { - String html = "123'123'"; - String escape = HtmlUtil.escape(html); + final String html = "123'123'"; + final String escape = HtmlUtil.escape(html); Assert.assertEquals("<html><body>123'123'</body></html>", escape); - String restoreEscaped = HtmlUtil.unescape(escape); + final String restoreEscaped = HtmlUtil.unescape(escape); Assert.assertEquals(html, restoreEscaped); Assert.assertEquals("'", HtmlUtil.unescape("'")); } @Test public void escapeTest2() { - char c = ' '; // 不断开空格(non-breaking space,缩写nbsp。) + final char c = ' '; // 不断开空格(non-breaking space,缩写nbsp。) Assert.assertEquals(c, 160); - String html = " "; - String escape = HtmlUtil.escape(html); + final String html = " "; + final String escape = HtmlUtil.escape(html); Assert.assertEquals("<html><body> </body></html>", escape); Assert.assertEquals(" ", HtmlUtil.unescape(" ")); } @Test public void filterTest() { - String html = ""; - String filter = HtmlUtil.filter(html); + final String html = ""; + final String filter = HtmlUtil.filter(html); Assert.assertEquals("", filter); } @@ -177,8 +177,8 @@ public class HtmlUtilTest { @Test public void removeAllHtmlAttrTest() { - String html = "
"; - String result = HtmlUtil.removeAllHtmlAttr(html, "div"); + final String html = "
"; + final String result = HtmlUtil.removeAllHtmlAttr(html, "div"); Assert.assertEquals("
", result); } }