我正在获得跨站点脚本:对bean类的struts调用的验证不正确 [英] I am getting Cross-Site Scripting: Poor Validation on a struts call to a bean class
问题描述
我在HP Fortify中扫描了我的应用程序,但遇到了跨站点脚本编写:验证不正确"的问题.我正在使用ESAPI库.我在Struts应用程序上得到了这个发现.
<%@ taglib prefix="s" uri="/struts-tags" %>
<form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'>
public String printApplications() throws IOException, ServletException {
request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean);
}
使用ESAPI编码tableBean.formName的正确语法是什么?
之前:
<html lang="${myVar}">
适当的语法如下:
<%@ taglib uri="/WEB-INF/tld/esapi.tld" prefix="esapi" %>
<html lang="<esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>">
在您的情况下,请使用HTMLAttribute
,因为要动态获取的值将插入到标记的名称"属性中.如果要说的话,请在p标签中使用esapi:encodeForHTML
.
<p>
<esapi:encodeForHTML>${myVal}</esapi:encodeForHTML>
</p>
此外,如果该值将由呈现时的javascript函数接收,则为esapi:encodeForJavaScript
.
编码始终具有适当的上下文,并且上下文会回答以下问题:哪种解释器将首先接收此数据?"
============================================ >
我不够明确.我提供的示例仅在听起来像是作为原始HTML存入时才针对HTML属性进行转义.上面的一般示例已经过修改.
使用您的示例,请尝试:
<form method='post' name='<s:property value=<esapi:encodeForHTMLAttribute>'tableBean.formName'<esapi:encodeForHTMLAttribute>/>' action='Notification.action'>
我已经习惯了JSTL语法,所以我不是100%肯定将变量包装在这里的最佳方法.您将不得不玩它.另外,您可以向tableBean
添加类似于tableBean.attributeEscapedFormName
的方法,该方法类似于:
public class TableBean{
String formName;
public String htmlAttributeEscapedFormName(){
return ESAPI.encoder().escapeForHTMLAttribute( formName );
}
}
I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application.
<%@ taglib prefix="s" uri="/struts-tags" %>
<form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'>
public String printApplications() throws IOException, ServletException {
request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean);
}
What would be the proper syntax to use ESAPI to encode tableBean.formName?
Before:
<html lang="${myVar}">
The appropriate syntax would look like this:
<%@ taglib uri="/WEB-INF/tld/esapi.tld" prefix="esapi" %>
<html lang="<esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>">
In your case, use HTMLAttribute
because the value you're getting dynamically is being inserted into the "name" attribute on the tag. If it was going to be say, in a p-tag, you'd use esapi:encodeForHTML
.
<p>
<esapi:encodeForHTML>${myVal}</esapi:encodeForHTML>
</p>
Also, if the value would be received by a javascript function on rendering, esapi:encodeForJavaScript
.
Encoding always has a proper context, and the context is answered by the question, "What kind of interpreter will first receive this data?"
=============================================
I wasn't explicit enough. The example I provided will only escape for HTML attributes when it sounds like it's being deposited as raw HTML. The general example above has been reworked.
Using your example, try:
<form method='post' name='<s:property value=<esapi:encodeForHTMLAttribute>'tableBean.formName'<esapi:encodeForHTMLAttribute>/>' action='Notification.action'>
I'm used to JSTL syntax, so I'm not 100% sure the best way to wrap your variable here. You'll have to play with it. Alternatively, you could add a method to tableBean
like tableBean.attributeEscapedFormName
which would look like:
public class TableBean{
String formName;
public String htmlAttributeEscapedFormName(){
return ESAPI.encoder().escapeForHTMLAttribute( formName );
}
}
这篇关于我正在获得跨站点脚本:对bean类的struts调用的验证不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!