我正在获得跨站脚本:Struts调用对bean类的验证不正确 [英] I am getting Cross-Site Scripting: Poor Validation on Struts call to a bean class
问题描述
我在HP Fortify中扫描了我的应用程序,但遇到了跨站点脚本:验证不正确
的问题.我正在使用ESAPI库.我在Struts应用程序上得到了这个发现.
<%@ taglib prefix ="s";uri ="/struts-tags"%>< form method ='post'name ='< s:属性值='tableBean.formName'/>'action ='Notification.action'>
<代码>公共字符串printApplications()引发IOException,ServletException {request.setAttribute(TableDisplayBean.TABLE_BEAN,tableBean);}
使用ESAPI编码 tableBean.formName
的正确语法是什么?
之前:
< html lang ="$ {myVar}">
适当的语法如下:
<%@ taglib uri ="/WEB-INF/tld/esapi.tld" prefix ="esapi"%>< html lang =< esapi:encodeForHTMLAttribute> $ {myvar}</esapi:encodeForHTMLAttribute>">
在您的情况下,请使用 HTMLAttribute
,因为要动态获取的值将插入到标记的"name"属性中.如果要说的话,请在p标签中使用 esapi:encodeForHTML
.
< p>< esapi:encodeForHTML> $ {myVal}</esapi:encodeForHTML></p>
此外,如果该值将由渲染时的javascript函数接收,则为 esapi:encodeForJavaScript
.
编码始终具有适当的上下文,并且上下文会回答以下问题:哪种解释器将首先接收此数据?"
============================================ >
我不够明确.我提供的示例仅在听起来像是作为原始HTML存入时才针对HTML属性进行转义.上面的一般示例已经过修改.
使用您的示例,尝试:
< form method ='post'name ='< s:属性值=< esapi:encodeForHTMLAttribute>'tableBean.formName'< esapi:encodeForHTMLAttribute>/>'action ='Notification.action'>
我已经习惯了JSTL语法,所以我不是100%肯定将变量包装在这里的最佳方法.您将不得不玩它.或者,您可以向 tableBean
添加一个方法,如 tableBean.attributeEscapedFormName
,该方法类似于:
公共类TableBean {字符串formName;公共字符串htmlAttributeEscapedFormName(){返回ESAPI.encoder().escapeForHTMLAttribute(formName);}}
I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation
. I am using ESAPI library. I am getting this finding on a Struts application.
<%@ taglib prefix="s" uri="/struts-tags" %>
<form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'>
public String printApplications() throws IOException, ServletException {
request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean);
}
What would be the proper syntax to use ESAPI to encode tableBean.formName
?
Before:
<html lang="${myVar}">
The appropriate syntax would look like this:
<%@ taglib uri="/WEB-INF/tld/esapi.tld" prefix="esapi" %>
<html lang="<esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>">
In your case, use HTMLAttribute
because the value you're getting dynamically is being inserted into the "name" attribute on the tag. If it was going to be say, in a p-tag, you'd use esapi:encodeForHTML
.
<p>
<esapi:encodeForHTML>${myVal}</esapi:encodeForHTML>
</p>
Also, if the value would be received by a javascript function on rendering, esapi:encodeForJavaScript
.
Encoding always has a proper context, and the context is answered by the question, "What kind of interpreter will first receive this data?"
=============================================
I wasn't explicit enough. The example I provided will only escape for HTML attributes when it sounds like it's being deposited as raw HTML. The general example above has been reworked.
Using your example, try:
<form method='post' name='<s:property value=<esapi:encodeForHTMLAttribute>'tableBean.formName'<esapi:encodeForHTMLAttribute>/>' action='Notification.action'>
I'm used to JSTL syntax, so I'm not 100% sure the best way to wrap your variable here. You'll have to play with it. Alternatively, you could add a method to tableBean
like tableBean.attributeEscapedFormName
which would look like:
public class TableBean{
String formName;
public String htmlAttributeEscapedFormName(){
return ESAPI.encoder().escapeForHTMLAttribute( formName );
}
}
这篇关于我正在获得跨站脚本:Struts调用对bean类的验证不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!