在Struts 2中使$ {}运算符XSS安全(与挂毯相同) [英] Make ${} operator XSS safe in Struts 2 (same as tapestry)
问题描述
如 http://www中所述. crasharea.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/
$ {}在struts 2中不是xss安全的,而在挂毯5中是安全的.
The ${} is not xss safe in struts 2 while it is safe in tapestry 5.
我不是挂毯人,但是我想知道上面是否正确.
I am not a Tapestry guy, but I want to know if above is correct.
据我所知,${}是JSLT的一部分,它不依赖于任何Web框架.因此,如果上面的句子正确无误,并且${}在挂毯中是XSS安全的,我们如何才能在struts 2中使其安全.
As far as I know the ${} is part of JSLT and it does not depend on any web frameworks. So if above sentence is correct and the ${} is XSS safe in tapestry, how can we make it safe in struts 2.
已更新:
要测试它,我运行struts2-showcase应用程序,打开modelDriven\modelDrivenResult.jsp并添加以下行:
To test it I run struts2-showcase app, opened modelDriven\modelDrivenResult.jsp and add below line:
Am I safe ${name}
现在,当您运行展示柜并输入<script> alert('xxxx') </script>作为帮派名称时,您将看到警报!
Now when you run the show case and enter <script> alert('xxxx') </script> as gangester name you can see the alert!
推荐答案
- Struts2 默认情况下会自动转义
<s:property value="name" />; - JSTL
<c:out value="${name}" />默认情况下会自动转义; - JSP EL
${name}未被转义.
- Struts2
<s:property value="name" />is automatically escaped by default; - JSTL
<c:out value="${name}" />is automatically escaped by default; - JSP EL
${name}is NOT escaped.
您可以使用${fn:escapeXml(name)}明确地对其进行转义,或将转义设置为默认情况下执行,如本篇精彩文章中所述,创建自定义ELResolver:
You can explicitly escape it with ${fn:escapeXml(name)} , or set the escape to be performed by default creating a custom ELResolver as described in this great article:
这篇关于在Struts 2中使$ {}运算符XSS安全(与挂毯相同)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
