如何最好地清理Java webapp中的输入 [英] How best to sanitize input in Java webapp

问题描述

我们使用jsp，servlets，bean和mysql数据库。我们不希望限制用户在表单字段上输入的字符。那么如何清理输入以及如何确保输出不会因恶意活动而更改。有没有办法在发送输出时我可以检查是否已经发送了额外的代码。就像假设有搜索输入字段 - 用户提供类似< script> alert（我在这里）< / script> 的内容。有没有我可以知道这是一个HTML标签。如果用户在链接字段中附加了一个额外的参数，那么就像之前和之后的检查一样，我可以为文档实现有一个额外的链接字段。

We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to make sure the output is not changed for malicious activities. Is there way while sending the output I could check if extra code has been sent. Like suppose there is search input field -- the user gives something like <script>alert("I am here")</script>. Is there anway I could know this is a html tag. If the user appends an extra parameter to a link field, is there like a before and after check I could do for the document to realize there has been a extra link field.

推荐答案

你真的应该允许用户输入尽可能少的HTML和/或javascript。验证和消毒这些东西的一个好方法是使用现成的库，如 OWASP AntiSamy 。

You really should allow users to input as little HTML and/or javascript as possible. One good solution to validating and sanitizing this stuff is to use a ready-made library like OWASP AntiSamy.

另外，看看 OWASP Enterprise Security API ，用于开发人员构建安全Web应用程序所需的一组安全方法。

Also, take a look at OWASP Enterprise Security API for a collection of security methods that a developer needs to build a secure web application.

这篇关于如何最好地清理Java webapp中的输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！