Java中的Xss消毒
[英]Xss sanitization in java
问题描述
I have a code piece to sanitize string symbols '<' and '>' for XSS attacks. 
我有一段代码可以清理XSS攻击的字符串符号“ <”和“>”。 Do you see any point in the snippet below where someone can break the code for these two symbols. 您是否在下面的代码段中看到有人可以破坏这两个符号的代码的任何地方。 I know XSS has lot more to sanitize and there are standard libraries. 我知道XSS还有很多需要清理的地方,并且有标准库。 But do we expect any failures/breakage for the snippet below? 但是,我们期望下面的代码片段有任何故障/损坏吗? Thinking from encoding/character set point of view also. 从编码/字符设置的角度考虑。 Please have a look and suggest. 请看看并提出建议。
We can use replace also but this is already written code and I have to break it. 我们也可以使用replace,但这已经是编写的代码了,我必须打破它。
String next=""; //this will be a html get request param
final StringBuffer sb = new StringBuffer();
for (int i = 0; i < next.length(); ++i) {
final char ch = next.charAt(i);
if (ch == '<') {
sb.append("<");
} else if (ch == '>') {
sb.append(">");
} else {
sb.append(ch);
}
}
1 个解决方案
解决方案1
4 2013-11-12 13:50:49
One possible attack would be: 一种可能的攻击是:
<
This sign is also a < and need to be replace. 此符号也是< ,需要替换。
In fact I would suggest NOT to write the replacement yourself. 实际上,我建议您不要自己编写替代文件。 Use ESAPE by OWASP or commons-lang from apache . 使用OWASP的ESAPE或apache的commons-lang 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.