如何在此c:out中避免XSS? [英] How to avoid XSS in this c:out?
问题描述
通常,我使用veracode扫描我的代码更改以检测安全漏洞.现在数据库中有一个字符串,我正在收集一个名为custFunctionality的字符串,以前我在jsp中将其显示为:
Normally i scan my code changes using veracode to detect security vulnerabilities. Now there is a string in DB which i am collecting in a string called custFunctionality and previously i was displaying this in jsp as :
out.println(<%= custFunctionality %>);
很好的veracode对其进行了扫描,让我知道它构成了安全缺陷.
Well veracode scanned it and let me know that it constitutes a security defect.
所以我在这里用c: out作为:
<c:out escapexml='false' value='${custFunctionality }'/>
现在,这里的问题是该字符串由html相关的标记和特殊字符组成,我需要在页面中显示这些字符,如果我不给出escapexml='false',这些字符和标记就不会实现.但是,由于代码中存在escapexml='false'字符串,因此在重新扫描文件后发现它是veracode的安全缺陷.
Now the problem here is that the string consists of html related mark up and special characters which i need to show in the page and if i don't give escapexml='false' those characters and mark ups don't materialize. However, since there is escapexml='false' string here in the code, this constitutes a security defect for veracode as i found it out after re scanning the file.
有人能建议我摆脱这个泥潭吗?
Can anyone suggest me an alternate solution out of this quagmire ?
推荐答案
您要的是两件事.采取特殊字符并将其直观地显示给用户是非常简单的.安全地将它们作为标记安全地插入页面中.
What you're asking for is two different things. Taking special characters and displaying them visually to the user is fairly straightforward. Inserting them into the page as markup safely is more complicated.
视觉显示:
您要在此处执行的操作是将浏览器要解释为的特殊字符标记为标记,并以一种向浏览器指示应仅显示它的方式对其进行转义(或编码).亚历克斯建议使用StringEscapeUtils,它可以帮助您做到这一点. (请记住,每个上下文都有自己的转义规则,因此,适用于html的内容不一定适用于css和javascript.)
What you want to do here is to take the special characters that the browser wants to interpret at as markup and escape (or encode) it in a way that indicates to the browser that it should just be displayed. Alex recommended the StringEscapeUtils which should help you do that. (Keep in mind that each context has it's own rules for escaping so what works for html won't necessarily work for css and javascript.)
标记插入:
在这种情况下,您需要对输入进行一些验证,以确保您不会插入会影响页面行为的内容.插入一些 ... 标记可能是可以的,插入javascript是有风险的.挑战在于捕捉人们可能试图逃避您的过滤器的所有方式.如果您的网站足够有趣,人们将尝试利用此功能.
In this case you need to do some validation of the input to ensure that you aren't inserting content that affects how your page behaves. Inserting some ... markup is probably okay, inserting javascript is risky. The challenge is catching all of the ways people might try to evade your filter. If your site is interesting enough, people will try to take advantage of this feature.
这篇关于如何在此c:out中避免XSS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
