如何最好地清理Java webapp中的输入 [英] How best to sanitize input in Java webapp
问题描述
我们使用jsp,servlets,bean和mysql数据库。我们不希望限制用户在表单字段上输入的字符。那么如何清理输入以及如何确保输出不会因恶意活动而更改。有没有办法在发送输出时我可以检查是否已经发送了额外的代码。就像假设有搜索输入字段 - 用户提供类似< script> alert(我在这里)< / script>
的内容。有没有我可以知道这是一个HTML标签。如果用户在链接字段中附加了一个额外的参数,那么就像之前和之后的检查一样,我可以为文档实现有一个额外的链接字段。
We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to make sure the output is not changed for malicious activities. Is there way while sending the output I could check if extra code has been sent. Like suppose there is search input field -- the user gives something like <script>alert("I am here")</script>
. Is there anway I could know this is a html tag. If the user appends an extra parameter to a link field, is there like a before and after check I could do for the document to realize there has been a extra link field.
推荐答案
你真的应该允许用户输入尽可能少的HTML和/或javascript。验证和消毒这些东西的一个好方法是使用现成的库,如 OWASP AntiSamy 。
You really should allow users to input as little HTML and/or javascript as possible. One good solution to validating and sanitizing this stuff is to use a ready-made library like OWASP AntiSamy.
另外,看看 OWASP Enterprise Security API ,用于开发人员构建安全Web应用程序所需的一组安全方法。
Also, take a look at OWASP Enterprise Security API for a collection of security methods that a developer needs to build a secure web application.
这篇关于如何最好地清理Java webapp中的输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!