Java:Owasp AntiSamy vs Owasp-java-html-sanitize
Java: Owasp AntiSamy vs Owasp-java-html-sanitize
我正在寻找 html 净化器库。我发现有两个 "owasp" 库。首先是 https://code.google.com/p/owasp-java-html-sanitizer/ and the second is https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project.
我的问题是 - 比较它们的优缺点。
OWASP java html sanitizer 是比 antisamy 更新的项目。这些项目的目标是相同的——清理 HTML 以防止 XSS 并过滤掉其他不需要的内容。然而他们的方法是不同的。每种方法都有其权衡,因此您应该根据您的要求选择解决方案。简而言之 html sanitizer 使用起来更简单,速度更快,另一方面它不太灵活。但是对于大多数用户来说应该足够好了。请注意,antisamy 不仅可以处理 html,还可以处理 css。
Here is message 来自 owasp 邮件列表,请求创建 HTML 消毒剂项目,包括其一些优点和与 antisamy 的区别列表。
I would like to start a new OWASP project that is very similar to
AntiSamy.
I would like to call this project the "OWASP Java HTML Sanitizer" and
have code available already at:
https://code.google.com/p/owasp-java-html-sanitizer/
This is code from the Caja project that was donated by Google. It is
rather high performance and low memory utilization.
- This code provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode
- Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
- It does not suffer from the various security flaws that the Niko HTML parser brought with it
- Actively maintained by myself and Mike Samuel from Google's AppSec team
- Already passing 80% of AntiSamy's unit tests plus many more.
- Only 3 dependent jar files
- This is a pure Java 6 project and does not support Java 5 or below ( Please note AntiSamy supports 1.4+ ).
We are currently at Alpha right now - but will be production ready and
soon.
Sample programmatic policy example:
// A VERY SIMPLE WHITELISTING POLICY
final ImmutableSet<String> okTags = ImmutableSet.of(
"a", "b", "br", "div", "i", "img", "input", "li",
"ol", "p", "span", "ul");
final ImmutableSet<String> okAttrs = ImmutableSet.of(
"div", "checked", "class", "href", "id", "target", "title", "type");
What do you think? Is a little respectful competition a good thing?
- Jim
我正在寻找 html 净化器库。我发现有两个 "owasp" 库。首先是 https://code.google.com/p/owasp-java-html-sanitizer/ and the second is https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project.
我的问题是 - 比较它们的优缺点。
OWASP java html sanitizer 是比 antisamy 更新的项目。这些项目的目标是相同的——清理 HTML 以防止 XSS 并过滤掉其他不需要的内容。然而他们的方法是不同的。每种方法都有其权衡,因此您应该根据您的要求选择解决方案。简而言之 html sanitizer 使用起来更简单,速度更快,另一方面它不太灵活。但是对于大多数用户来说应该足够好了。请注意,antisamy 不仅可以处理 html,还可以处理 css。
Here is message 来自 owasp 邮件列表,请求创建 HTML 消毒剂项目,包括其一些优点和与 antisamy 的区别列表。
I would like to start a new OWASP project that is very similar to AntiSamy.
I would like to call this project the "OWASP Java HTML Sanitizer" and have code available already at:
https://code.google.com/p/owasp-java-html-sanitizer/
This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.
- This code provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode
- Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config.
- It does not suffer from the various security flaws that the Niko HTML parser brought with it
- Actively maintained by myself and Mike Samuel from Google's AppSec team
- Already passing 80% of AntiSamy's unit tests plus many more.
- Only 3 dependent jar files
- This is a pure Java 6 project and does not support Java 5 or below ( Please note AntiSamy supports 1.4+ ).
We are currently at Alpha right now - but will be production ready and soon.
Sample programmatic policy example:
// A VERY SIMPLE WHITELISTING POLICY final ImmutableSet<String> okTags = ImmutableSet.of( "a", "b", "br", "div", "i", "img", "input", "li", "ol", "p", "span", "ul"); final ImmutableSet<String> okAttrs = ImmutableSet.of( "div", "checked", "class", "href", "id", "target", "title", "type");What do you think? Is a little respectful competition a good thing?
- Jim