我正在使用 java servlet 和 jsp 开发一个 Web 应用程序。我想确保我的应用程序是安全的,这就是我运行一些工具和 收到有关跨站点脚本的报告。请找到以下代码:
SampleServlet.java:
String key = ExternalAuthentication.startExternalAuthentication(request);
request.setAttribute("authParam", authParam);
out.write("<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\"> \n");
out.write("<html><body onload=\"document.forms[0].submit()\">\n");
out.write("<form method=\"POST\" action=\"" + request.getContextPath() + targetPage + "\">\n");
out.write("<input type=\"hidden\" name=\"actionUrl\" value=\"" + actionUrlBuilder.toString() + "\"/>\n");
out.write("<input type=\"hidden\" name=\"authParam\" value=\"" + request.getAttribute("authParam") + "\"/>\n");
out.write("</form>\n</body>\n</html>\n");
The above `setAttribute` will be used in JSP by saying
在jsp中:
// I am referring to the request attributes that have been contaminated. - comment from tool
//for context HTML double quoted is not properly sanitized for attribute, request.getAttribute ( "authParam" ) linked to an
//HTML page of There is a risk that lead to cross-site scripting - comment from tool
request.getAttribute("authParam");
谁能建议如何修复它?在设置到请求之前是否需要对 authParam 值进行编码?
最佳答案
we will this as input hidden variable and displaying the jsp page(login)
尝试使用以下任一方法:
- c:输出:
<c:out value="${authParam}" /> - JSTL EL fn:escapeXml 方法:
${fn:escapeXml(authParam)}
这两个转义数据都适用于 data state上下文或 HTML double-quoted attribute语境。值authParam首先从 JSP 页面范围搜索,然后搜索请求属性。如果只想搜索请求属性,请添加前缀 requestScope ,如requestScope.authParam ,以防您还在页面范围内设置了变量。
但是,您的问题与this question重复。 。我没有足够的代表来进行标记。
关于java - 如何修复请求属性的跨站点脚本?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33666078/