html 净化器拒绝单引号
这与 HTMLPurifier - 添加到忽略列表相关。我已将几个标签添加到白名单中。我现在有这段代码 -
$config->set('HTML', 'AllowedElements', array("customreport", "column", "columnseq"));
$def = $config->getHTMLDefinition(true);
$def->addElement("customreport", 'Block', 'Flow', 'Common', array());
$def->addElement("column", 'Block', 'Inline', 'Common', array());
$def->addElement("columnseq", 'Inline', 'Empty', 'Common', array('path'=>'CDATA', 'label'=>'CDATA'));
问题是,如果我发送一个属性值在单引号中的 html 标签,htmlpurifier 将其更改为双引号。例如
即使在演示网站上也会发生这种情况 (http://htmlpurifier.org/demo.php),带有测试字符串
<A HREF='http://www.google.com/'>XSS</A>
可以覆盖此行为吗?
This is related to HTMLPurifier - adding to ignore list. I have added a couple tags to the whitelist. I have this code now -
$config->set('HTML', 'AllowedElements', array("customreport", "column", "columnseq"));
$def = $config->getHTMLDefinition(true);
$def->addElement("customreport", 'Block', 'Flow', 'Common', array());
$def->addElement("column", 'Block', 'Inline', 'Common', array());
$def->addElement("columnseq", 'Inline', 'Empty', 'Common', array('path'=>'CDATA', 'label'=>'CDATA'));
The problem is, if I send a html tag which has the attribute value in single-quotes, htmlpurifier changes it to double-quotes. For e.g.
<columnseq path='test' label='tlabel' />
It happens even on the demo site (http://htmlpurifier.org/demo.php), with test string
<A HREF='http://www.google.com/'>XSS</A>
Can this behavior be over-ridden?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
将属性引用规范化为双引号是一个有意的设计决策,因为当我们构建 HTML 的内存表示形式时,我们只有一个属性名称到值的关联数组,而没有有关原始内容的信息。引用风格是。如果您使用 DOM 样式解析器,也无法获取该信息。
The canonicalization of attribute quoting to double-quotes was an intentional design decision stemming from the fact that when we construct our in-memory representation of the HTML, we only have an associative array of attribute names to values, and no information about what the original quoting style was. If you use the DOM style parser, there is no way to get that information either.