当 JSTL escapeXml 为 false 时如何防止 JavaScript 注入 (XSS)
我有一个表格,人们可以添加他们的东西。然而,在这种形式下,如果他们输入 JavaScript 而不仅仅是文本,他们就可以轻松地注入他们想做的任何事情。为了防止这种情况,我可以将 escapeXml 设置为 true,但是普通的 HTML 也会被转义。
<td><c:out value="${item.textValue}" escapeXml="true" /></td>
除了将其设置为 true 之外,还有其他方法可以防止 JavaScript 注入吗?
I have a form that people can add their stuff. However, in that form, if they enter JavaScript instead of only text, they can easily inject whatever they want to do. In order to prevent it, I can set escapeXml to true, but then normal HTML would be escaped as well.
<td><c:out value="${item.textValue}" escapeXml="true" /></td>
Is there any other way to prevent JavaScript injection rather than setting this to true?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我建议使用 Jsoup 。以下是来自其网站的相关摘录。
因此,在处理提交的文本期间,您基本上需要做的就是以下操作:
Jsoup 还提供了更多优势。另请参阅 HTML 解析器的优点和缺点在Java中。
I'd recommend using Jsoup for this. Here's an extract of relevance from its site.
So, all you basically need to do is the the following during processing the submitted text:
Jsoup offers more advantages than that as well. See also Pros and Cons of HTML parsers in Java.
您需要将服务器上的 HTML 文本解析为 XML,然后丢弃不在严格白名单中的任何标记和属性。
(并检查
href和src属性中的 URL)You need to parse the HTML text on the server as XML, then throw out any tags and attributes that aren't in a strict whitelist.
(And check the URLs in
hrefandsrcattributes)这正是 OWASP AntiSamy 项目 的目的。
另一种选择是 OWASP HTMLSanitizer 项目。它速度更快,依赖性更少,并且目前得到了项目负责人的积极支持。我认为它尚未经历任何 GA/稳定版本,因此您在评估此库时应该考虑这一点。
This is exactly the intent of the OWASP AntiSamy project.
Another alternative is the OWASP HTMLSanitizer project. It is faster, has less dependencies and actively supported by the project lead as of now. I don’t think it has gone through any GA/Stable release yet so you should consider that when evaluating this library.