如何使用 Struts 防止 XSS 漏洞 [英] How to prevent XSS vulnerability with Struts

问题描述

我们需要在我们的 Struts 应用程序中添加反 XSS 支持.最特别的是，架构师要求所有用户输入必须在存储到 DB 之前清理".由于我不想重新发明方轮，我可以为此使用哪个 Java 库?把它放在哪里?理想情况下，它应该是可配置的(要检查哪些输入字段，而不是请求中的所有字段)并且速度很快.我首先想到的是 Struts 验证器.

We need to add anti-XSS support in our Struts application. Most specifically the architect requires that all user input must be "sanitized" before storing in DB. As I don't want to reinvent the square wheel, which Java library can I use for this ? And where to put it ? Ideally it should be configurable (which input fields to check, not all of them in request) and fast. My first thought is Struts Validator.

提前致谢路易斯

推荐答案

我建议您查看 OWASP 的 ESAPI 项目.它已经开发了一年多，即将发布 2.0.

I recommend you look into OWASP's ESAPI project. It has been under development for over a year, and is approaching its 2.0 release.

要转义存储在数据库中的值，请查看 Encoder.encodeForSQL() 方法 (参考实现).

For escaping values stored in the database, check out the Encoder.encodeForSQL() method (reference implementation).

对于输入验证，请查看验证器 (参考实现).

For input validation, check out the Validator (reference implementation).

注意:我的理解是 ESAPI 中包含了旧项目(如 Stinger 和 CSRFGuard)提供的功能.

Note: my understanding is that the functionality provided by older projects such as Stinger and CSRFGuard is being included in ESAPI.

这篇关于如何使用 Struts 防止 XSS 漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！