配置ESAPI安全编码库以防止XSS跨站点脚本问题 [英] Configure ESAPI Security Encoding Library to prevent XSS Cross-site scripting issue

问题描述

我正在尝试使用ESAPI对Webapp(Jsps)中的安全编码进行编码，以防止XSS.我在WEB-INF/lib下添加了esapi-2.1.0.jar，并在JSP中添加了以下行进行编码

Am trying to use ESAPI for security encoding in a webapp (Jsps) to prevent XSS. I added esapi-2.1.0.jar under WEB-INF/lib and added below lines in JSP for encoding

ESAPI.encoder().encodeForHTML(request.getParameter(""))

但是我遇到了如下异常

org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)

我了解问题是缺少ESAPI.properties文件.我是否应该同时下载此文件以及esapi-2.1.0.jar?我可以看到ESAPI-2.1.0.jar中没有ESAPI.properties.我应该创建自己的文件还是可以获取默认文件，因为不确定其中应该包含什么文件?感谢任何帮助.

I understand the problem is missing ESAPI.properties file. Should I download this file as well along with esapi-2.1.0.jar? I could see ESAPI.properties is not in esapi-2.1.0.jar. Should I create my own or can I get a default file as am unsure what should be in it ? Appreciate any help.

推荐答案

位于最新的公共配置文件

The most recent public configuration files are located here:

如果您在

If you read the comments/code in this file, you'll see how to handle file location.

您将需要esapi.properties和validation.properties以便正确使用该库.

You will need BOTH esapi.properties and validation.properties in order to properly use the library.

这是文档的摘录.

/**
 * The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference
 * implementation, resources can be put in several locations, which are searched in the following order:
 * <p>
 * 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
 * <p>
 * 2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
 * You can set this on the java command line as follows (for example):
 * <pre>
 *              java -Dorg.owasp.esapi.resources="C:\temp\resources"
 * </pre>
 * You may have to add this to the start-up script that starts your web server. For example, for Tomcat,
 * in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the {@code -D} string above.
 * <p>
 * 3) Inside the {@code System.getProperty( "user.home" ) + "/.esapi"} directory (supported for backward compatibility) or
 * inside the {@code System.getProperty( "user.home" ) + "/esapi"} directory.
 * <p>
 * 4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
 * <p>
 * Once the Configuration is initialized with a resource directory, you can edit it to set things like master
 * keys and passwords, logging locations, error thresholds, and allowed file extensions.
 * <p>
 * WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
 *
 * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
 * @author Jim Manico (jim .at. manico.net) <a href="http://www.manico.net">Manico.net</a>
 * @author Kevin Wall (kevin.w.wall .at. gmail.com)
 */

这篇关于配置ESAPI安全编码库以防止XSS跨站点脚本问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！