如何正则表达式替换$ {…}的所有出现<c:out value=“${…}” />
[英]How to regex-replace all occurrences of ${…} by <c:out value=“${…}” />
问题描述
I have unprotected JSPs which have XSS holes. 
我有带有XSS漏洞的不受保护的JSP。 I need to replace all ${...} strings which are not already inside a <c:out value="${...}" /> tag by a <c:out value="${...}" /> . 我需要替换所有${...}字符串这还不是里面<c:out value="${...}" />由标签<c:out value="${...}" /> 。
For example, 例如,
<select>
<option value="${foo}">label</option>
</select>
${bar}
<c:out value="${message}" />
needs to be regex-replaced to the following: 需要用正则表达式替换为以下内容:
<select>
<option value="<c:out value="${foo}" />">label</option>
</select>
<c:out value="${bar}" />
<c:out value="${message}" />
2 个解决方案
解决方案1
0 2012-04-25 21:37:20
It sounds like your starting text has a mixture of <c:out value="${...}" /> and ${...} in it. 听起来您的起始文本中混合了<c:out value="${...}" />和${...} 。 If that's the case, you could try something like this: 如果是这样,您可以尝试如下操作:
str = str.replaceAll(
"(?:<c:out\\s+value=\")?\\$\\{([^}]*)\\}(?:\"\\s*/>)?",
"<c:out value=\"\\${$1}\" />"
);
I'm a little rusty on my Java regex syntax, so check that I have the backslashes right. 我对Java regex语法有些生疏,因此请检查我是否正确使用了反斜杠。 Otherwise, I think that will work. 否则,我认为这会起作用。
解决方案2
0 2012-04-25 21:37:22
Regex is not the tool to use when requiring context. 正则表达式不是需要上下文时使用的工具。 However, it would be simple enough to do in two steps by first replacing all instances of <c:out value="${...}" /> to ${...} and then all ${...} to <c:out value="${...}" /> . 但是,只需将两个<c:out value="${...}" />实例替换为${...} ,然后将所有${...}替换为两个步骤,就足够简单到<c:out value="${...}" /> 。
Regular expressions 常用表达
\${[^}]+}
<c:out value="\${[^}]+}" />
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.