admin管理员组

文章数量:1122832

I'm loading URLs from various intents (I have deeplinks or links sent by FCM notifications) and then opening them within WebView.

I implemented Jsoup to protect my app from XSS attacks.

Implementation:

@Override
    protected void onNewIntent(Intent intent) {
        super.onNewIntent(intent);
        String intentUrl = loadIntentUrl(intent);
        if (intentUrl != null) {
            String safeUrl = Jsoup.clean(intentUrl, Safelist.basic());
            Log.d("onNewIntent", "safeUrl: " + safeUrl);
            webView.loadUrl(safeUrl);
        }
    }

But I'm receiving valid deeplink URL (example: /?activate=users&userId=523332)

But Jsoup.clean(intentUrl, Safelist.basic()) is transforming it to

/?activate=users&userId=523332

And sending this to webView is causing some issues for customer. Is there any way how to eliminate this conversion so its properly handled by Jsoup while preventing XSS attack?

I could use .replaceAll("&", "&") but not sure if it would be good solution for this dynamically (if Jsoup could malform some other params in different links)

I'm loading URLs from various intents (I have deeplinks or links sent by FCM notifications) and then opening them within WebView.

I implemented Jsoup to protect my app from XSS attacks.

Implementation:

@Override
    protected void onNewIntent(Intent intent) {
        super.onNewIntent(intent);
        String intentUrl = loadIntentUrl(intent);
        if (intentUrl != null) {
            String safeUrl = Jsoup.clean(intentUrl, Safelist.basic());
            Log.d("onNewIntent", "safeUrl: " + safeUrl);
            webView.loadUrl(safeUrl);
        }
    }

But I'm receiving valid deeplink URL (example: https://my.appName.com/?activate=users&userId=523332)

But Jsoup.clean(intentUrl, Safelist.basic()) is transforming it to

https://my.appName.com/?activate=users&userId=523332

And sending this to webView is causing some issues for customer. Is there any way how to eliminate this conversion so its properly handled by Jsoup while preventing XSS attack?

I could use .replaceAll("&", "&") but not sure if it would be good solution for this dynamically (if Jsoup could malform some other params in different links)

Share Improve this question edited Nov 22, 2024 at 12:18 Martin asked Nov 22, 2024 at 11:45 MartinMartin 2,9049 gold badges53 silver badges97 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 0

The jsoup.clean method takes and returns HTML. Per the doc:

public static String clean(String bodyHtml, Safelist safelist)

Get safe HTML from untrusted input HTML, by parsing input HTML and filtering it through a safe-list of permitted tags and attributes.

The clean method does not fetch and clean the contents of a URL. If you want to do that(?), you would need to do something like:

String url = "https://my.appName.com/?activate=users&userId=523332";
Document doc = Jsoup.connect(url).get();
String sourceHtml = doc.html();
String cleanHtml = Jsoup.clean(sourceHtml, url, Safelist.basic());
print(cleanHtml); // Implement to send the cleaned HTML to your webview

本文标签: androidInvalid link is being returned after sanitation (cleanup)Stack Overflow