feat:1、增加文档和文章的危险标签和属性过滤

2、移除文档的客户端缓存
2025-10-25 10:59:13 +08:00 · 2018-09-13 18:19:26 +08:00
parent 91d010664b
commit 732b1db281
8 changed files with 282 additions and 256 deletions
--- a/utils/html.go
+++ b/utils/html.go
@@ -3,6 +3,9 @@ package utils
 import (
 	"regexp"
 	"strings"
+	"github.com/PuerkitoBio/goquery"
+	"bytes"
+	"github.com/lifei6671/mindoc/conf"
 )

 func StripTags(s string) string  {
@@ -54,3 +57,60 @@ func AutoSummary(body string,l int) string {
 	}
 	return content
 }
+
+//安全处理HTML文档，过滤危险标签和属性.
+func SafetyProcessor(html string) string {
+
+	//安全过滤，移除危险标签和属性
+	if docQuery, err := goquery.NewDocumentFromReader(bytes.NewBufferString(html)); err == nil {
+		docQuery.Find("script").Remove()
+		docQuery.Find("form").Remove()
+		docQuery.Find("link").Remove()
+		docQuery.Find("applet").Remove()
+		docQuery.Find("frame").Remove()
+		docQuery.Find("meta").Remove()
+		docQuery.Find("iframe").Remove()
+		docQuery.Find("*").Each(func(i int, selection *goquery.Selection) {
+
+			if href, ok := selection.Attr("href"); ok && strings.HasPrefix(href, "javascript:") {
+				selection.SetAttr("href", "#")
+			}
+			if src, ok := selection.Attr("src"); ok && strings.HasPrefix(src, "javascript:") {
+				selection.SetAttr("src", "#")
+			}
+
+			selection.RemoveAttr("onafterprint").
+				RemoveAttr("onbeforeprint").
+				RemoveAttr("onbeforeunload").
+				RemoveAttr("onload").
+				RemoveAttr("onclick").
+				RemoveAttr("onkeydown").
+				RemoveAttr("onkeypress").
+				RemoveAttr("onkeyup").
+				RemoveAttr("ondblclick").
+				RemoveAttr("onmousedown").
+				RemoveAttr("onmousemove").
+				RemoveAttr("onmouseout").
+				RemoveAttr("onmouseover").
+				RemoveAttr("onmouseup")
+		})
+
+		//处理外链
+		docQuery.Find("a").Each(func(i int, contentSelection *goquery.Selection) {
+			if src, ok := contentSelection.Attr("href"); ok {
+				if strings.HasPrefix(src, "http://") || strings.HasPrefix(src, "https://") {
+					if conf.BaseUrl != "" && !strings.HasPrefix(src, conf.BaseUrl) {
+						contentSelection.SetAttr("target", "_blank")
+					}
+				}
+			}
+		})
+
+
+
+		if html, err := docQuery.Html(); err == nil {
+			return  strings.TrimSuffix(strings.TrimPrefix(strings.TrimSpace(html), "<html><head></head><body>"), "</body></html>")
+		}
+	}
+	return html
+}