Java中的XSS漏洞
[英]XSS vulnerability in java
问题描述
How to fix the below XSS vulnerability issue?
如何解决以下XSS漏洞问题? How to secure my website from XSS vulnerability?
如何保护我的网站免受XSS漏洞的侵害?
By adding a javascript in the URL of the website all the cookies values are being displayed. 通过在网站的URL中添加JavaScript,所有的cookie值都将被显示。
below is a similar example of the URL which consists of a java script: 以下是由Java脚本组成的URL的类似示例:
https://www.example.com/ >< script>alert(document.cookie)< / script >&UserTarget= https://www.example.com/homepageredirect.jsp https://www.example.com/ > <脚本> alert(document.cookie)</脚本>&UserTarget = https://www.example.com/homepageredirect.jsp
To overcome this I added the below filer in obj.conf file in webserver 7.0: 为了解决这个问题,我在webserver 7.0的obj.conf文件中添加了以下文件管理器:
Input fn="insert-filter"
method="POST"
filter="sed-request"
sed="s/(<|%3c)/\\< / gi"
sed="s/(>|%3e)/\\>/gi"
Ever after making these changes in the obj.conf , still the issue is not fixed. 在obj.conf中进行了这些更改之后,问题仍然没有得到解决。 Please suggest something. 请提出一些建议。
2 个解决方案
解决方案1
1 2013-01-28 01:55:44
When you print your HTML just escape the special chars in the client side (or server-side, it depends for what you are going to print it) then you will be allowed to pass any input through without the need to use awkward regex or other kind of filter. 当您打印HTML时,只需在客户端(或服务器端,取决于要打印的内容)中的特殊字符转义,然后您就可以通过任何输入,而无需使用笨拙的正则表达式或其他一种过滤器。
Example: Let's say I have a variable that can receive a <script>alert( document.cookie )</script> , when I print I would do something like <div> <%= escapeHTML( dangerousVariable ) %> </div> . 示例:假设我有一个可以接收<script>alert( document.cookie )</script>的变量,当我打印时,我会做类似<div> <%= escapeHTML( dangerousVariable ) %> </div> 。
解决方案2
0 2016-03-02 09:33:29
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.