在 Struts 2 中使 ${} 运算符 XSS 安全(与 Tapestry 相同) [英] Make ${} operator XSS safe in Struts 2 (same as tapestry)
问题描述
如 http://www.灾难区.co.uk/blog/xss-vulnerabilities-in-web-frameworks-2/
${} 在 struts 2 中不是 xss 安全的,而在 Tapestry 5 中是安全的.
The ${} is not xss safe in struts 2 while it is safe in tapestry 5.
我不是 Tapestry 人,但我想知道以上是否正确.
I am not a Tapestry guy, but I want to know if above is correct.
据我所知,${}
是 JSLT 的一部分,它不依赖于任何 Web 框架.因此,如果上面的句子是正确的,并且 ${}
在tapestry 中是XSS 安全的,那么我们如何使其在struts 2 中安全.
As far as I know the ${}
is part of JSLT and it does not depend on any web frameworks. So if above sentence is correct and the ${}
is XSS safe in tapestry, how can we make it safe in struts 2.
更新:
为了测试它,我运行 struts2-showcase 应用程序,打开 modelDrivenmodelDrivenResult.jsp
并添加以下行:
To test it I run struts2-showcase app, opened modelDrivenmodelDrivenResult.jsp
and add below line:
Am I safe ${name}
现在,当您运行展示案例并输入 <script>alert('xxxx') </script>
作为黑帮名可以看到警报!
Now when you run the show case and enter <script> alert('xxxx') </script>
as gangester name you can see the alert!
推荐答案
- Struts2
<s:property value="name"/>
默认自动转义; - JSTL
<c:out value="${name}"/>
默认自动转义; - JSP EL
${name}
未转义.
- Struts2
<s:property value="name" />
is automatically escaped by default; - JSTL
<c:out value="${name}" />
is automatically escaped by default; - JSP EL
${name}
is NOT escaped.
您可以使用 ${fn:escapeXml(name)}
显式转义它,或者将转义设置为默认执行,创建自定义 ELResolver,如这篇精彩的文章中所述:
You can explicitly escape it with ${fn:escapeXml(name)}
, or set the escape to be performed by default creating a custom ELResolver as described in this great article:
这篇关于在 Struts 2 中使 ${} 运算符 XSS 安全(与 Tapestry 相同)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!