我很乐意为我提供一套处理转义字符串的明确指南或规则。我使用 apache commons-lang-xxjar 库来转义字符串。具体来说是 StringEscapeUtils.escapeHtml(String toEscape) 方法。
我需要知道:
(1) 哪里对字符串进行转义比较好,在JSP页面上还是在Servlet中?
(2) 你推荐什么 StringEscapeUtils.escapeHtml(..) 或 来自 JSTL
(3) 处理多行字符串,哪个更好,使用
;直接在字符串中,或 \n 和 nl2br() 方法:
String strError = "无效的用户名。\n请重试。";
或
String strError = "无效的用户名。
(4) 如何转义接收通配符的字符串,例如:
String strError = "Invalid user [%s].
请指定其他用户。 "
(5) 由于javascript转义字符不同。我应该使用什么来转义要在 JSP 页面的 javascript 部分内呈现的 Java 字符串(例如 var name = "<%=javaStringHoldingName%>")。
I would appreciate providing me with a set of clear guidelines or ruling for handling escaping strings. What I use for escaping strings is the apache commons-lang-x.x.jar library. Specifically the StringEscapeUtils.escapeHtml(String toEscape) method.
I need to know:
(1) Where is it better to escape strings, on the JSP page or in the Servlet?
(2) What do you recommend StringEscapeUtils.escapeHtml(..) or <c:out> from JSTL
(3) Handling multiline strings, which is better, use <br> directly in the string, or \n and a nl2br() method:
String strError = "Invalid username.\nPlease try again.";
or
String strError = "Invalid username.<br>Please try again.";
(4) How would I go escaping strings that receive wild cards, example:
String strError = "Invalid user [%s].<br>Please specify another user."
(5) Since javascript escape characters are different. What should I use to escape Java strings that are to be rendered inside the javascript sections of the JSP page (eg. var name = "<%=javaStringHoldingName%>").
发布评论
评论(3)
你只需要在它可能造成伤害的地方逃离它即可。在这种特殊情况下,它就在视图中。当用户控制的 HTML 内联到视图中的所有 HTML 中时,它可能会造成损害。这是 XSS 的来源。
在设计良好的 JSP 页面中(请阅读:否 scriptlet),JSTL 为您提供
fn:escapeXml()函数来转义 HTML/XML。You only need to escape it exactly there where it can harm. In this particular case, it's in the view. User-controlled HTML can harm when it get inlined among all your HTML in the view. This is a source for XSS.
In a well-designed JSP page (read: no scriptlets), JSTL offers you the
<c:out>tag andfn:escapeXml()function to escape HTML/XML.对于您的两个问题:
1)出于显示目的转义字符串 - 我认为这是一个视图问题。如果您使用 JSP 作为视图,您的 JSP 可以处理这个问题。
3) 来自模型/业务逻辑层的错误消息不应包含换行符等格式。让您的视图确定如何格式化错误消息。例如,对于 HTML,使用具有适当宽度样式的 div 标签可以消除对 br 标签的需要。
For two of your questions:
1) Escaping strings for display purposes - I would consider this a view concern. Your JSP could handle this, if you're using your JSP as a view.
3) Error messages from your models / business logic layer should not include formatting such as newline characters. Let your view determine how to format error messages. With HTML, the use of a div tag with appropriate width styling can eliminate the need for br tags, for example.
我可能不会传递一个 String 对象,而是只是将一个错误对象传递给视图并让 jsp 做它想做的任何事情
在控制器中:
在视图中:
与您的问题并不真正相关,但这也是一个很好的做法无论登录错误到底是什么,都使用类似“无效登录尝试”的消息。您给出的消息“无效的用户名”可以让意图入侵您帐户的人知道他们是否拥有可以用来攻击密码的好用户名。如果这被公开曝光,这可能是一个小但非常现实的问题。
I would probably not pass a String object, but instead just pass an error object up to the view and let the jsp do whatever it wants
In the controller:
In the view:
Not really related to your question, but it's also a good practice to use a message like, "invalid login attempt" no matter what the login error really is. The message you are giving, "invalid username" lets someone intent on hacking your accounts know if they have a good username that they can use to then attack the password with. If this is exposed publicly, this can be a small, but very real, issue.