如何防止人们在Spring MVC中执行XSS? [英] How do I prevent people from doing XSS in Spring MVC?
问题描述
我应该怎么做才能防止Spring MVC中的XSS?现在,我只是将输出用户文本的所有位置放到JSTL <c:out>
标记或fn:escapeXml()
函数中,但这似乎容易出错,因为我可能会错过一个位置.
What should I do to prevent XSS in Spring MVC? Right now I am just putting all places where I output user text into JSTL <c:out>
tags or fn:escapeXml()
functions, but this seems error prone as I might miss a place.
是否有一种简单的系统方法可以防止这种情况发生?也许像过滤器之类的?我通过在控制器方法上指定@RequestParam
参数来收集输入.
Is there an easy systematic way to prevent this? Maybe like a filter or something? I'm collecting input by specifying @RequestParam
parameters on my controller methods.
推荐答案
在Spring中,您可以从<form>
标记生成的JSP页面中转义html.这为XSS攻击提供了很多途径,并且可以通过以下三种方式自动完成:
In Spring you can escape the html from JSP pages generated by <form>
tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways:
对于web.xml
文件中的整个应用程序:
For the entire application in the web.xml
file:
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
对于文件本身中给定页面上的所有表单:
For all forms on a given page in the file itself:
<spring:htmlEscape defaultHtmlEscape="true" />
对于每种形式:
<form:input path="someFormField" htmlEscape="true" />
这篇关于如何防止人们在Spring MVC中执行XSS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!