在Java中转义html [英] Escaping html in Java

问题描述

我如何确保我不会逃避两次？

How do I make sure I don't escape something twice?

我听说过，从表单中收到它们的优点是逃避价值观，并且当您输出时也逃避。这样你有两个机会来抓住东西。

I've heard that its good practice to escape values as you receive them from a form, and also escape when you output. That way you have two chances to catch something.

推荐答案

我假设你正在使用JSP。

I presume that you're using JSP.

只能在显示中转义。 JSTL < c：out> 标签是完美的。它默认转义HTML实体。使用它来显示每个用户控制的输入，例如请求URL，请求标题和请求参数。

Just escape during display only. There for the JSTL <c:out> tag is perfectly suitable. It escapes HTML entities by default. Use it to display every user-controlled input, such as request URL, request headers and request parameters.

例如

<input type="text" name="foo" value="<c:out value="${param.foo}" />">

不需要在输入过程中转义。 XSS 不会损害原始Java代码或SQL数据库。另一方面，您也可以在数据库中保存未修改的数据，以便您仍然可以看到输入的用户实际 ，以便在必要时对邮件用户进行社交操作。

Escaping during input is not needed. XSS doesn't harm in raw Java code nor in SQL databases. On the other hand, you would also rather save data unmodified in DB so that you can still see what the user actually entered, so that you can if necessary do social actions on mailicious users.

如果你想知道在输入时要逃避什么，那将是 SQL注入。在这种情况下，只需使用 PreparedStatement 而不是常规的语句每当您要保存数据库中的任何用户控制输入。

If you'd like to know what to escape during input, it would be SQL injection. In such case just use PreparedStatement instead of regular Statement whenever you want to save any user-controlled input in the database.

例如

create = connection.prepareStatement("INSERT INTO user (username, password) VALUES (?, MD5(?))");
create.setString(1, username);
create.setString(2, password);
create.executeUpdate();

这篇关于在Java中转义html的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！