JSP / Servlet Web应用程序中的XSS预防 [英] XSS prevention in JSP/Servlet web application
问题描述
如何在JSP / Servlet Web应用程序中防止XSS攻击?
How can I prevent XSS attacks in a JSP/Servlet web application?
推荐答案
在JSP中可以通过使用XSS来防止XSS JSTL < c:out> 标签或 fn:escapeXml() 当(重新)显示用户控制的输入时的EL功能。这包括请求参数,标题,cookie,URL,正文等。您从请求对象中提取的任何内容。此外,存储在数据库中的先前请求的用户控制输入需要在重新显示期间进行转义。
XSS can be prevented in JSP by using JSTL <c:out> tag or fn:escapeXml() EL function when (re)displaying user-controlled input. This includes request parameters, headers, cookies, URL, body, etc. Anything which you extract from the request object. Also the user-controlled input from previous requests which is stored in a database needs to be escaped during redisplaying.
例如:
<p><c:out value="${bean.userControlledValue}"></p>
<p><input name="foo" value="${fn:escapeXml(param.foo)}"></p>
这将转义可能导致呈现的HTML格式错误的字符,例如< ,> ,,'和& 进入 HTML / XML实体例如& lt; ,& gt; ,& quot; ,& 和& amp; 。
This will escape characters which may malform the rendered HTML such as <, >, ", ' and & into HTML/XML entities such as <, >, ", ' and &.
请注意,您不需要在Java(Servlet)代码中转义它们,因为它们在那里是无害的。有些人可能会选择在请求处理期间转义它们(正如你在Servlet或Filter中所做的那样)而不是响应处理(就像在JSP中那样),但是这样你可能会冒不必要的双重转义(例如 & 变为& amp; amp; 而不是& amp; 并最终最终用户会看到& amp; 正在呈现),或者DB存储的数据变得不可移植(例如,将数据导出为JSON,CSV,XLS,PDF等时,根本不需要HTML转义。您也将失去社交控制,因为您不再了解用户实际填写的内容。您作为网站管理员真的想知道哪些用户/ IP正在尝试执行XSS,以便您可以轻松跟踪他们并采取相应的行动。在您真正需要在尽可能短的时间内修复严重开发的遗留Web应用程序的火车残骸时,请求处理期间的转义应该仅用作最新的手段。尽管如此,您最终应该重写JSP文件以使其成为XSS安全的。
Note that you don't need to escape them in the Java (Servlet) code, since they are harmless over there. Some may opt to escape them during request processing (as you do in Servlet or Filter) instead of response processing (as you do in JSP), but this way you may risk that the data unnecessarily get double-escaped (e.g. & becomes &amp; instead of & and ultimately the enduser would see & being presented), or that the DB-stored data becomes unportable (e.g. when exporting data to JSON, CSV, XLS, PDF, etc which doesn't require HTML-escaping at all). You'll also lose social control because you don't know anymore what the user has actually filled in. You'd as being a site admin really like to know which users/IPs are trying to perform XSS, so that you can easily track them and take actions accordingly. Escaping during request processing should only and only be used as latest resort when you really need to fix a train wreck of a badly developed legacy web application in the shortest time as possible. Still, you should ultimately rewrite your JSP files to become XSS-safe.
如果您想将用户控制的输入重新显示为HTML,而您只想允许HTML代码的特定子集,例如< b> ,< i> ,< ; u> 等,然后你需要清理白名单的输入。您可以使用 Jsoup 之类的HTML解析器。但是,更好的是引入一种人性化的标记语言,例如Markdown(也在Stack Overflow中使用)。然后,您可以使用像 CommonMark 这样的Markdown解析器。它还内置了HTML清理功能。另请参见我正在寻找一个Java HTML编码器。
If you'd like to redisplay user-controlled input as HTML wherein you would like to allow only a specific subset of HTML tags like <b>, <i>, <u>, etc, then you need to sanitize the input by a whitelist. You can use a HTML parser like Jsoup for this. But, much better is to introduce a human friendly markup language such as Markdown (also used here on Stack Overflow). Then you can use a Markdown parser like CommonMark for this. It has also builtin HTML sanitizing capabilities. See also I'm looking for a Java HTML encoder.
服务器端关于数据库的唯一问题是 SQL注入预防。您需要确保在SQL或JPQL查询中永远不会直接串联用户控制的输入,并且您一直在使用参数化查询。在JDBC术语中,这意味着您应该使用 PreparedStatement 而不是 Statement 。在JPA术语中,使用 查询 。
The only concern in the server side with regard to databases is SQL injection prevention. You need to make sure that you never string-concatenate user-controlled input straight in the SQL or JPQL query and that you're using parameterized queries all the way. In JDBC terms, this means that you should use PreparedStatement instead of Statement. In JPA terms, use Query.
另一种选择是从JSP / Servlet迁移到Java EE的MVC框架 JSF 。它已在所有地方内置了XSS(和CSRF!)预防。另请参阅 JSF中的CSRF,XSS和SQL注入攻击预防。
An alternative would be to migrate from JSP/Servlet to Java EE's MVC framework JSF. It has builtin XSS (and CSRF!) prevention over all place. See also CSRF, XSS and SQL Injection attack prevention in JSF.
这篇关于JSP / Servlet Web应用程序中的XSS预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
