V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
rabitzn
V2EX  ›  前端开发

请教如何采用 html 插入一张图片,绕过 su.sanitizeHTML 方法?

  •  
  •   rabitzn · 2018-03-27 17:28:04 +08:00 · 1479 次点击
    这是一个创建于 2480 天前的主题,其中的信息可能已经有所发展或是发生改变。
    su.sanitizeHTML = function(aString) {
    
      var str = aString.toString();
    
      // Strip out null.
      str = str.replace(/\[0x00\]/gmi,'');
    
      // Strip out carriage returns and other control characters.
      str = str.replace(/(
|
|	|	)/gmi,'');
      str = str.replace(/(
||\t|\n|\r)/gmi,'');
    
      // Strip out tags that do not close.
      str = str.replace(/<[^>]*$/gmi,'');
    
      // Strip out tags that do not open.
      str = str.replace(/^[^<]*>/gmi,'');
      
      // Check all instances of HTML tags. Only if they match our very limited
      // white list will they be allowed through.
      return str.replace(/<[^>]*>/gmi, function(match) {
          // If there are *any* style or javascript strings inside the tag,
          // then strip it. Also, look for any open parenthesis (escaped or 
          // unescaped), curly braces, or square backets, since simple link URLs
          // will not contain these whereas javascript will.
          var containsStyleRegex = new RegExp('style\s*|\\(|&#41;|<.*<' +
              '|script:|file:|ftp:|&#040|\{|\}|\[|\]|%5B|%5D|%3C|%3E|&#x28;','img');
          if (containsStyleRegex.test(match) == true) {
            return '';
          }
    
          // If it's an http: or https: link or a font tag, then let it through.
          var isLinkOrFontRegex = new RegExp('^<\/*(a href=("|&quot;) http|font)','img');
          if (isLinkOrFontRegex.test(match) == true) {
            // If there is any attribute that starts with "on", then strip the 
            // tag, since this could be a binding to a JS event.
            var containsJSBinding = new RegExp('on\\S*\\s*=','img');
            if (containsJSBinding.test(match) == true) {
              return '';
            } else {
              return match;
            }
          }
    
          // Finally, only allow it if it's in our explicit white list.
          var whiteListRegEx = new RegExp('^</*' +
              '(b|i|u|strong|em|p|br|ol|ul|li|a)/*>$', 'img');
          if (whiteListRegEx.test(match) == true) {
            return match;
          } else {
            return '';
          }
          
        });
    };
    
    目前尚无回复
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   4963 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 22ms · UTC 03:53 · PVG 11:53 · LAX 19:53 · JFK 22:53
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.