Java Regex保护xSS
[英]Java Regex for protecting xSS
问题描述
I want to use java Regex to check whether there is <script/> in my url. 
我想使用Java正则表达式检查我的URL中是否有<script/> 。 I want to match if characters of url occur in ['"&<>\\/] , But for java ,the regex is little different, I do not know how to write correct regex to match. Can someone can help me? 我想匹配url字符是否出现在['"&<>\\/] ,但是对于java来说,正则表达式几乎没有什么不同,我不知道如何编写正确的正则表达式来匹配。有人可以帮我吗?
2 个解决方案
解决方案1
2 2013-06-20 17:14:57
Never do Html Encoding/Decoding/Validation yourself. 绝对不要自己做HTML编码/解码/验证。 If you ever encounter code that is manually validating html, xml etc... it is a bug. 如果您遇到手动验证html,xml等的代码,则是一个错误。 Always use a library that is well used and peer reviewed for these sorts of tasks. 对于此类任务,请始终使用使用良好且经过同行评审的库。 Don't be a cowboy coder and think you can do it well; 不要当牛仔程序员,认为自己做得很好。 it is much harder to get right than you might think. 正确的事情比您想象的要难得多。 The OWASP site has everything you need to know about how to do this in JAVA. OWASP网站提供了有关如何在JAVA中执行此操作所需的所有信息。
解决方案2
0 2013-06-20 17:40:17
How are you displaying the query string parameter? 您如何显示查询字符串参数? If you are doing this in a JSP file you can simply use the <c:out> tag to escape it: 如果在JSP文件中执行此操作,则可以简单地使用<c:out>标记对其进行转义:
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<c:out value="${param.myUnsafeParam}" />
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.