JSP/Servlet Web 应用程序中的 XSS 预防 [英] XSS prevention in JSP/Servlet web application
问题描述
如何防止 JSP/Servlet Web 应用程序中的 XSS 攻击?
How can I prevent XSS attacks in a JSP/Servlet web application?
推荐答案
在 JSP 中可以使用 JSTL <c:out> 标签或 fn:当(重新)显示用户控制的输入时,escapeXml() EL 函数.这包括请求参数、标头、cookie、URL、正文等.您从请求对象中提取的任何内容.此外,存储在数据库中的先前请求的用户控制输入需要在重新显示期间进行转义.
XSS can be prevented in JSP by using JSTL <c:out> tag or fn:escapeXml() EL function when (re)displaying user-controlled input. This includes request parameters, headers, cookies, URL, body, etc. Anything which you extract from the request object. Also the user-controlled input from previous requests which is stored in a database needs to be escaped during redisplaying.
例如:
<p><c:out value="${bean.userControlledValue}"></p>
<p><input name="foo" value="${fn:escapeXml(param.foo)}"></p>
这将转义可能使渲染的 HTML 格式不正确的字符,例如 <、>、"、' 和 & 转化为 HTML/XML 实体,例如 <、>、"、' 和 &.
This will escape characters which may malform the rendered HTML such as <, >, ", ' and & into HTML/XML entities such as <, >, ", ' and &.
请注意,您不需要在 Java (Servlet) 代码中对它们进行转义,因为它们在那里是无害的.有些人可能会选择在 request 处理期间(如您在 Servlet 或 Filter 中所做的那样)而不是 response 处理期间(如您在 JSP 中所做的那样)对它们进行转义,但这样您可能会冒风险数据不必要地被双重转义(例如 & 变成 & 而不是 & 并最终成为最终用户会看到 & 出现),或者 DB 存储的数据变得不可移植(例如,将数据导出到 JSON、CSV、XLS、PDF 等时,不需要在全部).您还将失去社交控制,因为您不再知道用户实际填写了什么.作为站点管理员,您真的很想知道哪些用户/IP 正在尝试执行 XSS,以便您可以轻松跟踪并采取相应的行动.当您确实需要在尽可能短的时间内修复严重开发的遗留 Web 应用程序的火车残骸时,请求处理期间的转义应该并且仅用作最新的手段.尽管如此,您最终还是应该重写 JSP 文件以使其成为 XSS 安全的.
Note that you don't need to escape them in the Java (Servlet) code, since they are harmless over there. Some may opt to escape them during request processing (as you do in Servlet or Filter) instead of response processing (as you do in JSP), but this way you may risk that the data unnecessarily get double-escaped (e.g. & becomes &amp; instead of & and ultimately the enduser would see & being presented), or that the DB-stored data becomes unportable (e.g. when exporting data to JSON, CSV, XLS, PDF, etc which doesn't require HTML-escaping at all). You'll also lose social control because you don't know anymore what the user has actually filled in. You'd as being a site admin really like to know which users/IPs are trying to perform XSS, so that you can easily track them and take actions accordingly. Escaping during request processing should only and only be used as latest resort when you really need to fix a train wreck of a badly developed legacy web application in the shortest time as possible. Still, you should ultimately rewrite your JSP files to become XSS-safe.
如果您想将用户控制的输入重新显示为 HTML,其中您只想允许 HTML 标记的特定子集,例如 <b>、<i>、 等,那么您需要通过白名单清理输入.为此,您可以使用像 Jsoup 这样的 HTML 解析器.但是,更好的是引入一种人类友好的标记语言,例如 Markdown(也在 Stack Overflow 上使用).然后你可以使用像 CommonMark 这样的 Markdown 解析器.它还具有内置的 HTML 清理功能.另请参阅Markdown 或 HTML.
If you'd like to redisplay user-controlled input as HTML wherein you would like to allow only a specific subset of HTML tags like <b>, <i>, <u>, etc, then you need to sanitize the input by a whitelist. You can use a HTML parser like Jsoup for this. But, much better is to introduce a human friendly markup language such as Markdown (also used here on Stack Overflow). Then you can use a Markdown parser like CommonMark for this. It has also builtin HTML sanitizing capabilities. See also Markdown or HTML.
服务器端与数据库相关的唯一问题是SQL 注入预防.您需要确保您永远不会直接在 SQL 或 JPQL 查询中字符串连接用户控制的输入,并且您一直在使用参数化查询.在 JDBC 术语中,这意味着您应该使用 PreparedStatement 而不是 Statement.在 JPA 术语中,使用 查询.
The only concern in the server side with regard to databases is SQL injection prevention. You need to make sure that you never string-concatenate user-controlled input straight in the SQL or JPQL query and that you're using parameterized queries all the way. In JDBC terms, this means that you should use PreparedStatement instead of Statement. In JPA terms, use Query.
另一种方法是从 JSP/Servlet 迁移到 Java EE 的 MVC 框架 JSF.它在所有地方都有内置的 XSS(和 CSRF!)预防.另请参见 JSF 中的 CSRF、XSS 和 SQL 注入攻击预防.
An alternative would be to migrate from JSP/Servlet to Java EE's MVC framework JSF. It has builtin XSS (and CSRF!) prevention over all place. See also CSRF, XSS and SQL Injection attack prevention in JSF.
这篇关于JSP/Servlet Web 应用程序中的 XSS 预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
