请教如何采用 html 插入一张图片,绕过 su.sanitizeHTML 方法?

2018-03-27 17:28:04 +08:00
 rabitzn
su.sanitizeHTML = function(aString) {

  var str = aString.toString();

  // Strip out null.
  str = str.replace(/\[0x00\]/gmi,'');

  // Strip out carriage returns and other control characters.
  str = str.replace(/(
|
|	|	)/gmi,'');
  str = str.replace(/(
||\t|\n|\r)/gmi,'');

  // Strip out tags that do not close.
  str = str.replace(/<[^>]*$/gmi,'');

  // Strip out tags that do not open.
  str = str.replace(/^[^<]*>/gmi,'');
  
  // Check all instances of HTML tags. Only if they match our very limited
  // white list will they be allowed through.
  return str.replace(/<[^>]*>/gmi, function(match) {
      // If there are *any* style or javascript strings inside the tag,
      // then strip it. Also, look for any open parenthesis (escaped or 
      // unescaped), curly braces, or square backets, since simple link URLs
      // will not contain these whereas javascript will.
      var containsStyleRegex = new RegExp('style\s*|\\(|&#41;|<.*<' +
          '|script:|file:|ftp:|&#040|\{|\}|\[|\]|%5B|%5D|%3C|%3E|&#x28;','img');
      if (containsStyleRegex.test(match) == true) {
        return '';
      }

      // If it's an http: or https: link or a font tag, then let it through.
      var isLinkOrFontRegex = new RegExp('^<\/*(a href=("|&quot;) http|font)','img');
      if (isLinkOrFontRegex.test(match) == true) {
        // If there is any attribute that starts with "on", then strip the 
        // tag, since this could be a binding to a JS event.
        var containsJSBinding = new RegExp('on\\S*\\s*=','img');
        if (containsJSBinding.test(match) == true) {
          return '';
        } else {
          return match;
        }
      }

      // Finally, only allow it if it's in our explicit white list.
      var whiteListRegEx = new RegExp('^</*' +
          '(b|i|u|strong|em|p|br|ol|ul|li|a)/*>$', 'img');
      if (whiteListRegEx.test(match) == true) {
        return match;
      } else {
        return '';
      }
      
    });
};
1453 次点击
所在节点    前端开发
0 条回复

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/441873

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX