I use java library Tidy to sanitize html-code. Some of the code contains links with Russian letters. For example
<a href="http://example.com/Русский">link with Russian letters</a>
I understand that "Русский" must be escaped, but I get this html from users. And my job is to convert it to XHTML.
I think tidy tries to escape not-latin letters, but as a result I get
<a href="http://example.com/%420%443%441%441%43A%438%439">link with Russia开发者_开发问答n letters</a>
This is not corect. Correct version is
<a href="http://example.com/%D0%A0%D1%83%D1%81%D1%81%D0%BA%D0%B8%D0%B9">link with Russian letters</a>
Java code is
private static Tidy getTidy() {
if (null == tidy) {
tidy = new Tidy();
tidy.setQuiet(true);
tidy.setShowErrors(0);
tidy.setShowWarnings(false);
tidy.setXHTML(true);
tidy.setOutputEncoding("UTF-8");
}
return tidy;
}
public static String sanitizeHtml(String html, URI pageUri) {
boolean escapeMedia = false;
String ret = "";
try {
Document doc = getTidy().parseDOM(new StringReader("<body>" + html + "</body>"), null);
// here I make some processing
// string output
ByteArrayOutputStream out = new ByteArrayOutputStream();
Node node = doc.getElementsByTagName("body").item(0);
getTidy().pprint(node, out);
ret = out.toString().trim();
}
catch (Exception e) {
ret = html;
e.printStackTrace();
}
return ret;
}
It's a hard-coded behaviour and it's probably a bug. They use UTF-16 to escape non-ASCII characters in URLs when they should use UTF-8. See org/w3c/tidy/AttrCheckImpl.java
.
精彩评论