提交 | 用户 | 时间
|
e57a89
|
1 |
package com.jcdm.common.utils.html; |
懒 |
2 |
|
|
3 |
import com.jcdm.common.utils.StringUtils; |
|
4 |
|
|
5 |
/** |
|
6 |
* 转义和反转义工具类 |
|
7 |
* |
|
8 |
* @author jc |
|
9 |
*/ |
|
10 |
public class EscapeUtil |
|
11 |
{ |
|
12 |
public static final String RE_HTML_MARK = "(<[^<]*?>)|(<[\\s]*?/[^<]*?>)|(<[^<]*?/[\\s]*?>)"; |
|
13 |
|
|
14 |
private static final char[][] TEXT = new char[64][]; |
|
15 |
|
|
16 |
static |
|
17 |
{ |
|
18 |
for (int i = 0; i < 64; i++) |
|
19 |
{ |
|
20 |
TEXT[i] = new char[] { (char) i }; |
|
21 |
} |
|
22 |
|
|
23 |
// special HTML characters |
|
24 |
TEXT['\''] = "'".toCharArray(); // 单引号 |
|
25 |
TEXT['"'] = """.toCharArray(); // 双引号 |
|
26 |
TEXT['&'] = "&".toCharArray(); // &符 |
|
27 |
TEXT['<'] = "<".toCharArray(); // 小于号 |
|
28 |
TEXT['>'] = ">".toCharArray(); // 大于号 |
|
29 |
} |
|
30 |
|
|
31 |
/** |
|
32 |
* 转义文本中的HTML字符为安全的字符 |
|
33 |
* |
|
34 |
* @param text 被转义的文本 |
|
35 |
* @return 转义后的文本 |
|
36 |
*/ |
|
37 |
public static String escape(String text) |
|
38 |
{ |
|
39 |
return encode(text); |
|
40 |
} |
|
41 |
|
|
42 |
/** |
|
43 |
* 还原被转义的HTML特殊字符 |
|
44 |
* |
|
45 |
* @param content 包含转义符的HTML内容 |
|
46 |
* @return 转换后的字符串 |
|
47 |
*/ |
|
48 |
public static String unescape(String content) |
|
49 |
{ |
|
50 |
return decode(content); |
|
51 |
} |
|
52 |
|
|
53 |
/** |
|
54 |
* 清除所有HTML标签,但是不删除标签内的内容 |
|
55 |
* |
|
56 |
* @param content 文本 |
|
57 |
* @return 清除标签后的文本 |
|
58 |
*/ |
|
59 |
public static String clean(String content) |
|
60 |
{ |
|
61 |
return new HTMLFilter().filter(content); |
|
62 |
} |
|
63 |
|
|
64 |
/** |
|
65 |
* Escape编码 |
|
66 |
* |
|
67 |
* @param text 被编码的文本 |
|
68 |
* @return 编码后的字符 |
|
69 |
*/ |
|
70 |
private static String encode(String text) |
|
71 |
{ |
|
72 |
if (StringUtils.isEmpty(text)) |
|
73 |
{ |
|
74 |
return StringUtils.EMPTY; |
|
75 |
} |
|
76 |
|
|
77 |
final StringBuilder tmp = new StringBuilder(text.length() * 6); |
|
78 |
char c; |
|
79 |
for (int i = 0; i < text.length(); i++) |
|
80 |
{ |
|
81 |
c = text.charAt(i); |
|
82 |
if (c < 256) |
|
83 |
{ |
|
84 |
tmp.append("%"); |
|
85 |
if (c < 16) |
|
86 |
{ |
|
87 |
tmp.append("0"); |
|
88 |
} |
|
89 |
tmp.append(Integer.toString(c, 16)); |
|
90 |
} |
|
91 |
else |
|
92 |
{ |
|
93 |
tmp.append("%u"); |
|
94 |
if (c <= 0xfff) |
|
95 |
{ |
|
96 |
// issue#I49JU8@Gitee |
|
97 |
tmp.append("0"); |
|
98 |
} |
|
99 |
tmp.append(Integer.toString(c, 16)); |
|
100 |
} |
|
101 |
} |
|
102 |
return tmp.toString(); |
|
103 |
} |
|
104 |
|
|
105 |
/** |
|
106 |
* Escape解码 |
|
107 |
* |
|
108 |
* @param content 被转义的内容 |
|
109 |
* @return 解码后的字符串 |
|
110 |
*/ |
|
111 |
public static String decode(String content) |
|
112 |
{ |
|
113 |
if (StringUtils.isEmpty(content)) |
|
114 |
{ |
|
115 |
return content; |
|
116 |
} |
|
117 |
|
|
118 |
StringBuilder tmp = new StringBuilder(content.length()); |
|
119 |
int lastPos = 0, pos = 0; |
|
120 |
char ch; |
|
121 |
while (lastPos < content.length()) |
|
122 |
{ |
|
123 |
pos = content.indexOf("%", lastPos); |
|
124 |
if (pos == lastPos) |
|
125 |
{ |
|
126 |
if (content.charAt(pos + 1) == 'u') |
|
127 |
{ |
|
128 |
ch = (char) Integer.parseInt(content.substring(pos + 2, pos + 6), 16); |
|
129 |
tmp.append(ch); |
|
130 |
lastPos = pos + 6; |
|
131 |
} |
|
132 |
else |
|
133 |
{ |
|
134 |
ch = (char) Integer.parseInt(content.substring(pos + 1, pos + 3), 16); |
|
135 |
tmp.append(ch); |
|
136 |
lastPos = pos + 3; |
|
137 |
} |
|
138 |
} |
|
139 |
else |
|
140 |
{ |
|
141 |
if (pos == -1) |
|
142 |
{ |
|
143 |
tmp.append(content.substring(lastPos)); |
|
144 |
lastPos = content.length(); |
|
145 |
} |
|
146 |
else |
|
147 |
{ |
|
148 |
tmp.append(content.substring(lastPos, pos)); |
|
149 |
lastPos = pos; |
|
150 |
} |
|
151 |
} |
|
152 |
} |
|
153 |
return tmp.toString(); |
|
154 |
} |
|
155 |
|
|
156 |
public static void main(String[] args) |
|
157 |
{ |
|
158 |
String html = "<script>alert(1);</script>"; |
|
159 |
String escape = EscapeUtil.escape(html); |
|
160 |
// String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>"; |
|
161 |
// String html = "<123"; |
|
162 |
// String html = "123>"; |
|
163 |
System.out.println("clean: " + EscapeUtil.clean(html)); |
|
164 |
System.out.println("escape: " + escape); |
|
165 |
System.out.println("unescape: " + EscapeUtil.unescape(escape)); |
|
166 |
} |
|
167 |
} |