如何在不使XSS失败的情况下在过滤器中编码对JSON的响应 [英] How to encode response to JSON in filter without failing XSS

查看:788
本文介绍了如何在不使XSS失败的情况下在过滤器中编码对JSON的响应的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

以下是SpotBugs的静态代码分析报告

BELOW IS THE static code analysis report from SpotBugs

XSS_SERVLET:Servlet中潜在的XSS 发现了潜在的XSS.它可以用来在客户端的浏览器中执行不需要的JavaScript. (请参阅参考资料)

XSS_SERVLET: Potential XSS in Servlet A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references)

易受攻击的代码:

protected void doGet(HttpServletRequest req, HttpServletResponse resp) 
throws ServletException, IOException {
String input1 = req.getParameter("input1");
[...]
resp.getWriter().write(input1);
}

解决方案:

protected void doGet(HttpServletRequest req, HttpServletResponse resp)     throws ServletException, IOException {
    String input1 = req.getParameter("input1");
    [...]
    resp.getWriter().write(Encode.forHtml(input1))

Encode.forJava for JavaScript正在编写特殊字符,并且JSON字符串已被破坏.

Encode.forJava for JavaScript is writing special chars and JSON string is compromised.

如何使用编码器发送JSON字符串.无需通过安全检查

How to use Encoder to send JSON string. without failing security CHECK

推荐答案

也许您可以看看OWASP JSON消毒器 https://www.owasp.org/index.php/OWASP_JSON_Sanitizer#tab=Main ?

Perhaps you could have a look at OWASP JSON sanitizer https://www.owasp.org/index.php/OWASP_JSON_Sanitizer#tab=Main ?

这篇关于如何在不使XSS失败的情况下在过滤器中编码对JSON的响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆