Java 5 HTML转义为防止XSS

本文介绍了Java 5 HTML转义为防止XSS的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在研究Java应用程序中的一些XSS预防。

I'm looking into some XSS prevention in my Java application.

我目前有自定义构建的例程，它将转义存储在数据库中的任何HTML，以便安全地显示在我的jsps。但是，如果可能的话，我宁愿使用内置/标准方法来执行此操作。

I currently have custom built routines that will escape any HTML stored in the database for safe display in my jsps. However I would rather use a built in/standard method to do this if possible.

我目前没有编码发送到数据库但希望开始执行的数据那也是。

I am not currently encoding data that gets sent to the database but would like to start doing that as well.

是否有任何内置方法可以帮助我实现这一目标？

Are there any built in methods that can help me to achieve this?

推荐答案

您通常在显示期间逃避XSS，而不是在商店期间。在JSP中，您可以使用 JSTL （只需删除< jstl-1.2.jar > / WEB-INF / lib ） < c：out> 代码或 fn：escapeXml 此功能。例如

You normally escape XSS during display, not during store. In JSP you can use the JSTL (just drop jstl-1.2.jar in /WEB-INF/lib) <c:out> tag or fn:escapeXml function for this. E.g.

<input name="foo" value="<c:out value="${param.foo}" />">

或

<input name="foo" value="${fn:escapeXml(param.foo)}">

就是这样。如果您在处理输入和/或存储在数据库中时也这样做，那么它全部分布在业务代码和/或数据库中。你不应该这样做，它只是维护麻烦，当你在不同的地方做这件事时你会冒险双重逃避或更多（例如& 将成为& amp; amp; 而不是& amp; ，以便最终用户真正看到& amp; 而不是& 在视图中。代码和数据库对XSS不敏感。只有视图是。你应该只将它转义为就在那里。

That's it. If you do it during processing the input and/or storing in DB as well, then it's all spread over the business code and/or in the database. You should not do that, it's only maintenance trouble and you will risk double-escapes or more when you do it at different places (e.g. & would become &amp;amp; instead of &amp; so that the enduser would literally see &amp; instead of & in view. The code and DB are not sensitive for XSS. Only the view is. You should then escape it only right there.

更新：您发布了4个关于同一主题的主题：

Update: you've posted 4 topics about the same subject:

• 跨站点脚本 - 隐藏表格字段
• HttpServletRequest - 快速编码网址和隐藏字段参数的方法
• HttpServletRequest - SetParameter
• 这一个。

• Cross Site Scripting - Hidden Form Fields
• HttpServletRequest - Quick way to encode url and hidden field paramaters
• HttpServletRequest - SetParameter
• This one.

I只会警告你：不需要在servlet / filter / javacode / database /中转义它。你只是不必要地使事情过于复杂。在显示期间逃脱它。这就是全部。

I will only warn you: you do not need to escape it in servlet/filter/javacode/database/whatever. You're only unnecessarily overcomplicating things. Just escape it during display. That's all.