Java 5 HTML 转义以防止 XSS

本文介绍了Java 5 HTML 转义以防止 XSS的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在研究 Java 应用程序中的一些 XSS 预防措施.

I'm looking into some XSS prevention in my Java application.

我目前有自定义构建的例程，可以转义存储在数据库中的任何 HTML，以便在我的 jsps 中安全显示.但是，如果可能，我宁愿使用内置/标准方法来执行此操作.

I currently have custom built routines that will escape any HTML stored in the database for safe display in my jsps. However I would rather use a built in/standard method to do this if possible.

我目前没有对发送到数据库的数据进行编码，但也想开始这样做.

I am not currently encoding data that gets sent to the database but would like to start doing that as well.

是否有任何内置方法可以帮助我实现这一目标?

Are there any built in methods that can help me to achieve this?

推荐答案

您通常会在 显示 期间逃避 XSS，而不是在 存储 期间.在 JSP 中，您可以使用 JSTL(只需删除 jstl-1.2.jar-INF/lib) <c:out> 标签或 fn:escapeXml 函数.例如

You normally escape XSS during display, not during store. In JSP you can use the JSTL (just drop jstl-1.2.jar in /WEB-INF/lib) <c:out> tag or fn:escapeXml function for this. E.g.

<input name="foo" value="<c:out value="${param.foo}" />">

或

<input name="foo" value="${fn:escapeXml(param.foo)}">

就是这样.如果您在处理输入和/或在 DB 中存储时也这样做，那么它全部分布在业务代码和/或数据库中.你不应该这样做，这只是维护问题，当你在不同的地方这样做时，你会冒双重逃逸或更多的风险(例如 & 将变成 &amp;&amp;code> 而不是 & 以便最终用户可以真正看到 &amp; 而不是 &.代码和DB 对 XSS 不敏感.只有视图是.然后你应该只就在那里转义它.

That's it. If you do it during processing the input and/or storing in DB as well, then it's all spread over the business code and/or in the database. You should not do that, it's only maintenance trouble and you will risk double-escapes or more when you do it at different places (e.g. & would become &amp;amp; instead of &amp; so that the enduser would literally see &amp; instead of & in view. The code and DB are not sensitive for XSS. Only the view is. You should then escape it only right there.

更新:您发布了 4 个关于同一主题的主题:

Update: you've posted 4 topics about the same subject:

• 跨站点脚本 - 隐藏表单字段
• HttpServletRequest - 快速编码 url 和隐藏的方法字段参数
• HttpServletRequest - SetParameter
• 这个.

我只会警告你:你不需要需要在 servlet/filter/javacode/database/whatever 中转义它.你只是把事情不必要地复杂化了.只需在显示期间将其转义即可.仅此而已.

I will only warn you: you do not need to escape it in servlet/filter/javacode/database/whatever. You're only unnecessarily overcomplicating things. Just escape it during display. That's all.