如何防止人们在Spring MVC中执行XSS? [英] How do I prevent people from doing XSS in Spring MVC?

问题描述

我应该怎么做才能防止Spring MVC中的XSS?现在，我只是将输出用户文本的所有位置放到JSTL <c:out>标记或fn:escapeXml()函数中，但这似乎容易出错，因为我可能会错过一个位置.

What should I do to prevent XSS in Spring MVC? Right now I am just putting all places where I output user text into JSTL <c:out> tags or fn:escapeXml() functions, but this seems error prone as I might miss a place.

是否有一种简单的系统方法可以防止这种情况发生?也许像过滤器之类的?我通过在控制器方法上指定@RequestParam参数来收集输入.

Is there an easy systematic way to prevent this? Maybe like a filter or something? I'm collecting input by specifying @RequestParam parameters on my controller methods.

推荐答案

在Spring中，您可以从<form>标记生成的JSP页面中转义html.这为XSS攻击提供了很多途径，并且可以通过以下三种方式自动完成:

In Spring you can escape the html from JSP pages generated by <form> tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways:

对于web.xml文件中的整个应用程序:

For the entire application in the web.xml file:

<context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
</context-param>

对于文件本身中给定页面上的所有表单:

For all forms on a given page in the file itself:

<spring:htmlEscape defaultHtmlEscape="true" /> 

对于每种形式:

<form:input path="someFormField" htmlEscape="true" /> 

这篇关于如何防止人们在Spring MVC中执行XSS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！