Veracode-网页中与脚本相关的HTML标记的不正确中和(基本XSS) [英] Veracode - Improper Neutralization of Script-Related HTML tags in a Web Page (Basic XSS)
问题描述
我已经继承了旧版应用程序,下面提供了一段代码.
I have inherited a legacy application and there is a snippet of code given below.
private static void printKeywordCheckboxes(JspWriter out, ArrayList words, int type)
throws IOException {
LogbookKeyword thisWord;
Iterator iterWord = words.iterator();
while (iterWord.hasNext()) {
thisWord = (LogbookKeyword) iterWord.next();
out.println(" <input type=\"checkbox\" name=\"keywordCheckbox" +
type + "\" value=\"" +
thisWord.hashCode() + "\" checked/>" +
thisWord.getWord() + "<br>");
}
}
Veracode在'out.println()'处抛出异常网页中与脚本相关的HTML标签的不适当中和"(基本XSS).
Veracode is throwing an exception "Improper Neutralization of Script-Related HTML tags in a Web Page (Basic XSS)" at the 'out.println()'.
有人可以让我知道如何解决此问题吗?任何帮助将不胜感激.
Can anybody let me know how this issue should be fixed? Any help would be greatly appreciated.
推荐答案
问题是单词"被传递到您的方法中,但是在使用它们之前并没有中和-单词"as"被使用-is',因此可能包含会造成危害的脚本.对此有很好的说明,并解释了它为什么会引起问题: http://www. veracode.com/images/pdf/top5mostprevalent.pdf
The problem is that 'words' are being passed down to your method, but there is no neutralization of these before they gets used - the words get used 'as-is' so could contain scripts that cause harm. There is a good description explaining this and why it is a problem: http://www.veracode.com/images/pdf/top5mostprevalent.pdf
在生成此HTML时,您将需要消除用户输入-在将其转换为HTML之前,请确保其无害.我的Java有点生锈,但是Google向我们提供了一些建议:
When you are generating this HTML, you are going to need to neutralize the user input - make sure it is harmless before turning it into HTML. My Java is a bit rusty but a Google gives us some suggestions:
- Recommended method for escaping HTML in Java
- Java escape HTML
已阅读此备忘单上的提示: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Have a read of the tips on this cheat sheet: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
这篇关于Veracode-网页中与脚本相关的HTML标记的不正确中和(基本XSS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!