如何防止人们在 Spring MVC 中进行 XSS? [英] How do I prevent people from doing XSS in Spring MVC?
问题描述
我应该怎么做才能防止 Spring MVC 中的 XSS?现在我只是把我输出用户文本的所有地方都放在 JSTL <c:out>
标签或 fn:escapeXml()
函数中,但这似乎容易出错我可能会错过一个地方.
What should I do to prevent XSS in Spring MVC? Right now I am just putting all places where I output user text into JSTL <c:out>
tags or fn:escapeXml()
functions, but this seems error prone as I might miss a place.
是否有一种简单的系统方法可以防止这种情况发生?也许像过滤器之类的?我通过在控制器方法上指定 @RequestParam
参数来收集输入.
Is there an easy systematic way to prevent this? Maybe like a filter or something? I'm collecting input by specifying @RequestParam
parameters on my controller methods.
推荐答案
在 Spring 中,您可以从 标签生成的 JSP 页面中转义 html.这关闭了 XSS 攻击的很多途径,并且可以通过三种方式自动完成:
In Spring you can escape the html from JSP pages generated by <form>
tags. This closes off a lot avenues for XSS attacks, and can be done automatically in three ways:
对于 web.xml
文件中的整个应用程序:
For the entire application in the web.xml
file:
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
对于文件本身中给定页面上的所有表单:
For all forms on a given page in the file itself:
<spring:htmlEscape defaultHtmlEscape="true" />
对于每种形式:
<form:input path="someFormField" htmlEscape="true" />
这篇关于如何防止人们在 Spring MVC 中进行 XSS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!