[英]how to ignore ESAPI exception “org.owasp.esapi.errors.IntrusionException: Input validation failure”?
My project (built on JSP,Struts,hibernate) takes an input from user and saves it in the database. 我的项目(基于JSP,Struts,hibernate构建)从用户获取输入并将其保存在数据库中。 To make my application secure I have used ESAPI jar. 为了使我的应用程序安全,我使用了ESAPI jar。
I am getting exception 我越来越异常了
org.owasp.esapi.errors.IntrusionException: Input validation failure org.owasp.esapi.errors.IntrusionException:输入验证失败
at the method ESAPI.encoder().canonicalize();
在方法ESAPI.encoder().canonicalize();
This exception is generally coming when we are copying and pasting data from skype,MS word etc. 当我们从Skype,MS Word等复制和粘贴数据时,通常会出现此异常。
When I copy paste the string from skype messenger it automatically adds extra styling data with div,meta,p,etc (all the HTML tags) which leads to addition of many special characters which might be causing the exception mentioned above. 当我从skype messenger复制粘贴字符串时,它会自动添加带有div,meta,p等的额外样式数据(所有HTML标记),这会导致添加许多可能导致上述异常的特殊字符。
But when I copy the string from notepad it doesn't give an exception. 但是,当我从记事本中复制字符串时,它不会给出异常。
How can I ignore this exception so that I can add the data ? 如何忽略此异常,以便可以添加数据? is there something to be modified in ESAPI.properties or validation.properties? ESAPI.properties或validation.properties中是否有需要修改的内容? what are your views? 你有什么看法?
I think your weird issue has to do with additional encoding when you paste something from (say) MS Word versus from something simple like notepad. 我认为,当您从(例如)MS Word中粘贴某些内容而不是从诸如记事本之类的简单内容中粘贴内容时,您的怪异问题与其他编码有关。 When you are in Word, it picks up some additional meta-data and the default 'paste' from 'MS Word' is really 'paste special'. 当你在Word中时,它会获取一些额外的元数据,而来自“MS Word”的默认“粘贴”实际上是“粘贴特殊”。 This is done so that you can copy text from one Office application to another (eg, Word to Outlook) and "retain formatting". 这样做是为了使您可以将文本从一个Office应用程序复制到另一个(例如,Word到Outlook)并“保留格式”。 I think it is all this additional meta-data that you are getting that is messing you up, because it probably looks to ESAPI like it is multi-encoded or it thinks that mixed-encoding is used. 我认为所有这些额外的元数据都会让你感到烦恼,因为它可能看起来像ESAPI,因为它是多编码的,或者它认为使用了混合编码。
That said,if you want to do validation, you really ought to be using one of the Validator.isValidInput() or Validator.getValidInput() methods. 也就是说,如果你想进行验证,你真的应该使用Validator.isValidInput()或Validator.getValidInput()方法之一。 This call Encoder.canonicalize() by default (unless you use the latest ESAPI from the 'develop' branch, where you can actually disable the canonicalization--a recent bug fix). 默认情况下调用Encoder.canonicalize()(除非您使用'develop'分支中的最新ESAPI,您可以在其中实际禁用规范化 - 最近的错误修复)。
-kevin -kevin
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.