由于在 jsp 文件中使用双引号而导致的简单错误
我的 Web 应用程序的 JSP 文件中有以下代码行出现错误:
<jsp:setProperty name="db" property="userName" value="<%=request.getParameter("userName")%>"/>
我收到的错误消息是:
org.apache.jasper.JasperException: /loginbean.jsp(6,59) 属性值 request.getParameter("用户名") 是 用 " 引用,必须转义 当在值内使用时
我在某些网站上读到的是像 ' (单引号)或 " (双引号)这样的字符需要以转义序列作为前缀 \ (反斜杠),如果要使用它们,
但是,当我尝试在双引号(用户名周围)添加反斜杠前缀时,我立即收到以下错误 - “非法字符 \92- 未闭合字符串”。字面意思”
我该如何解决这个问题?
I have the following line of code in a JSP File in my web app that is giving an error:
<jsp:setProperty name="db" property="userName" value="<%=request.getParameter("userName")%>"/>
The error message that I get is:
org.apache.jasper.JasperException:
/loginbean.jsp(6,59) Attribute value
request.getParameter("userName") is
quoted with " which must be escaped
when used within the value
What I read on some sites is that characters like ' (single quote) or " (double quote) need to be prefixed with an escape sequence \ (backslash) if they are to be used.
However, when I try and prefix the double quotes (around the word userName) with backslash, I immediately get the following error- "Illegal Character \92- Unclosed String Literal"
How do I resolve this problem?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
您应该在
value参数上使用单引号,即:或将
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING参数设置为false如此处所述:http://blogs.sourceallies.com/2009/10/strict-quote-escaping-in-tomcat/
You should use single quotes on the
valueparameter, ie:or set the
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPINGparameter tofalseas described here:http://blogs.sourceallies.com/2009/10/strict-quote-escaping-in-tomcat/
如果您使用的是 Tomcat 8.5+,则属性
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false不会被承认。
通过在
{TOMCAT_ROOT}/conf/web.xml中成功设置该属性:If you are using Tomcat 8.5+, the property
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=falsewill not be acknowledged.
I was able to set the property successfully in
{TOMCAT_ROOT}/conf/web.xmlby adding the following within the<servlet>block:如果您不想修改 JSP,只需
在
{TOMCAT_ROOT}/conf/catalina.properties文件中 设置:效果就像一个魅力!来自这里。
If you don't want to modify your JSPs, just set:
in your
{TOMCAT_ROOT}/conf/catalina.propertiesfile. Works like a charm!Kudos from here.
这可以通过 IDE Regexp Replace 来修复:
对于替换文本,输入:
$1'$2'
This can be fixed with a IDE Regexp Replace:
For the replacement text, enter:
$1'$2'
该示例看起来像 XSS 示例!这是一个安全漏洞。
我建议放置一个 html 编码库,例如 c:out 标记或 http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute%28java.lang.String%29
我还建议从经过身份验证的会话中获取用户名,如果可能的话,不要形成请求参数(除非这只是登录/注册表单!)
The example looks like a XSS example! This is a security vulnerability.
I suggest to put in place a html encoding library like c:out tag or http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html#encodeForHTMLAttribute%28java.lang.String%29
I also suggest to take the userName from an authenticated session and not form the request param if possible (unless this is a login/registration form only!)
如果使用 " 作为 scriplet 分隔符,则不能在 getParameter 中使用 some 作为属性分隔符。因此将 scriptlet 的分隔符更改为 '。作为标记参数,我认为不会有问题。否则替换 :
value ="<%=request.getParameter("用户名")%>"/>
通过:
value='<%=request.getParameter("用户名")%>'/>;
if you use a " as scriplet delimeter, you can't use the some as a property delimiter in getParameter. So change the delimeter of scriptlet by '.As it tag parameter, I think there 'll be no problem. Otherwise replace :
value="<%=request.getParameter("userName")%>"/>
by :
value='<%=request.getParameter("userName")%>'/>
我的情况是在项目构建期间使用 Jasper JSP 验证阶段。
从 Tomcat 8 开始,有一个新属性 strictQuoteEscaping Ant 任务和开关 -no-strictQuoteEscaping 用于运行 org.apache. jasper.JspC 从命令行。
I case Jasper JSP validation phase is used during project build.
Since Tomcat 8 there is a new attribute strictQuoteEscaping for Ant task and a switch -no-strictQuoteEscaping for running org.apache.jasper.JspC from command line.