如何修复XSS Vulnerabilites [英] How to fix XSS vulnerabilites
问题描述
我们正在使用fortify扫描Java源代码&它在错误下面抱怨:
We're using fortify to scan java source code & it is complaining below error:
Method abc() sends unvalidated data to a web browser on line 200, which can result in the browser executing malicious code.
我们在第200行的代码下方:
We've below code on line 200:
<a href="<%= Util.getProduct(request) %>">Product</a>
和Util.java在getProduct方法中的代码下面:
And Util.java hsa below code in getProduct method:
String prod = request.getParameter("prod");
任何人都可以告诉我如何解决此XSS漏洞吗?
Can any one tell me how to fix this XSS vulnerability?
谢谢!
推荐答案
您需要对Util.getProduct(request)
的输出进行转义.通常,这是使用JSTL和<c:out>
标记以及EL:
You need to escape the output of Util.getProduct(request)
. Typically this is done using JSTL and a <c:out>
tag and EL:
<a href="<c:out value="${Util.getProduct(request)}"/>" class="left_nav_link">Product</a>
NB ,您必须使用最新的EL实现(根据 EL方法中的参数),以便将参数传递给getter方法.
N.B. you'll have to use a fairly up-to-date implementation of EL (as per JSTL or JSP 2.0 EL for getter with argument and Parameters in EL methods) in order to pass an argument to the getter method.
Since the code in your question contains scriptlets, I will strongly suggest that you read How to avoid Java code in JSP files? This question covers reasons to use JSTL+EL instead of scriptlets, as well as a bit of information about what those two acronyms actually refer to.
这篇关于如何修复XSS Vulnerabilites的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!