Java - XSS - HTML 编码 - 字符实体引用与数字实体引用
我们一直在寻找对 JSP 页面进行 HTML 编码以对抗 XSS 的方法。
OWASP 网站展示了 How_to_perform_HTML_entity_encoding_in_Java
文章讨论了“Big 5”ie 的实体
21 {"#39", new Integer(39)}, // ' - apostrophe
22 {"quot", new Integer(34)}, // " - double-quote
23 {"amp", new Integer(38)}, // & - ampersand
24 {"lt", new Integer(60)}, // < - less-than
25 {"gt", new Integer(62)}, // > - greater-than
编码
<script>
被编码为,
<script>
但本文中包含的 Java 代码示例使用数字引用编码,即被
<script></script>
编码为
<script></script>
是否有理由使用字符引用而不是实体引用?哪个最好,为什么?
We've been looking for ways to HTML encode our JSP pages to counter XSS.
The OWASP site shows How_to_perform_HTML_entity_encoding_in_Java
The article talks about entity encoding the "Big 5" i.e.
21 {"#39", new Integer(39)}, // ' - apostrophe
22 {"quot", new Integer(34)}, // " - double-quote
23 {"amp", new Integer(38)}, // & - ampersand
24 {"lt", new Integer(60)}, // < - less-than
25 {"gt", new Integer(62)}, // > - greater-than
i.e.
<script>
is encoded as
<script>
but the Java code sample included in the article uses numeric reference encoding i.e.
<script></script>
is encoded as
<script></script>
Is there a reason for using character references over entity references? Which is best and why?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
就保护自己免受 XSS 侵害而言,它们是相同的。唯一真正的实际差异是可读性和大小。
They're the same as far as protecting yourself from XSS is concerned. The only real practical differences are readability and size.