admin管理员组文章数量:1122832
I'm loading URLs from various intents (I have deeplinks or links sent by FCM notifications) and then opening them within WebView.
I implemented Jsoup to protect my app from XSS attacks.
Implementation:
@Override
protected void onNewIntent(Intent intent) {
super.onNewIntent(intent);
String intentUrl = loadIntentUrl(intent);
if (intentUrl != null) {
String safeUrl = Jsoup.clean(intentUrl, Safelist.basic());
Log.d("onNewIntent", "safeUrl: " + safeUrl);
webView.loadUrl(safeUrl);
}
}
But I'm receiving valid deeplink URL (example: /?activate=users&userId=523332)
But Jsoup.clean(intentUrl, Safelist.basic())
is transforming it to
/?activate=users&userId=523332
And sending this to webView is causing some issues for customer. Is there any way how to eliminate this conversion so its properly handled by Jsoup while preventing XSS attack?
I could use .replaceAll("&", "&")
but not sure if it would be good solution for this dynamically (if Jsoup could malform some other params in different links)
I'm loading URLs from various intents (I have deeplinks or links sent by FCM notifications) and then opening them within WebView.
I implemented Jsoup to protect my app from XSS attacks.
Implementation:
@Override
protected void onNewIntent(Intent intent) {
super.onNewIntent(intent);
String intentUrl = loadIntentUrl(intent);
if (intentUrl != null) {
String safeUrl = Jsoup.clean(intentUrl, Safelist.basic());
Log.d("onNewIntent", "safeUrl: " + safeUrl);
webView.loadUrl(safeUrl);
}
}
But I'm receiving valid deeplink URL (example: https://my.appName.com/?activate=users&userId=523332)
But Jsoup.clean(intentUrl, Safelist.basic())
is transforming it to
https://my.appName.com/?activate=users&userId=523332
And sending this to webView is causing some issues for customer. Is there any way how to eliminate this conversion so its properly handled by Jsoup while preventing XSS attack?
I could use .replaceAll("&", "&")
but not sure if it would be good solution for this dynamically (if Jsoup could malform some other params in different links)
1 Answer
Reset to default 0The jsoup.clean
method takes and returns HTML. Per the doc:
public static String clean(String bodyHtml, Safelist safelist)
Get safe HTML from untrusted input HTML, by parsing input HTML and filtering it through a safe-list of permitted tags and attributes.
The clean method does not fetch and clean the contents of a URL. If you want to do that(?), you would need to do something like:
String url = "https://my.appName.com/?activate=users&userId=523332";
Document doc = Jsoup.connect(url).get();
String sourceHtml = doc.html();
String cleanHtml = Jsoup.clean(sourceHtml, url, Safelist.basic());
print(cleanHtml); // Implement to send the cleaned HTML to your webview
本文标签: androidInvalid link is being returned after sanitation (cleanup)Stack Overflow
版权声明:本文标题:android - Invalid link is being returned after sanitation (cleanup) - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736303982a1932071.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论