我如何使用 Esapi 按照 veracode 的建议对数据进行规范化。
out.print(ESAPI.encoder().encodeForHTML(jsonObj.toJSONString()));
现在控制台看到的数据是
{"total":1,"records":5,"rows":[{"id":"RLCP.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"534.7","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"2882","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE2882","ts":"RLCP.NS","clow":"437.5"}},{"id":"SBI.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"339.8","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"3045","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE3045","ts":"SBI.NS","clow":"278.1"}},{"id":"YESB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"948.65","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"11915","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE11915","ts":"YESB.NS","clow":"776.25"}},{"id":"BOB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"212.45","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"4668","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE4668","ts":"BOB.NS","clow":"173.85"}},{"id":"SBNK.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"128.85","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"7179","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE7179","ts":"SBNK.NS","clow":"105.45"}}]}
但它在 html 中呈现为
{"total":1,"records":5,"rows":[{"id":"RLCP.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"534.7","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"2882","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE2882","ts":"RLCP.NS","clow":"437.5"}},{"id":"SBI.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"339.8","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"3045","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE3045","ts":"SBI.NS","clow":"278.1"}},{"id":"YESB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"948.65","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"11915","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE11915","ts":"YESB.NS","clow":"776.25"}},{"id":"BOB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"212.45","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"4668","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE4668","ts":"BOB.NS","clow":"173.85"}},{"id":"SBNK.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"128.85","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"7179","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE7179","ts":"SBNK.NS","clow":"105.45"}}]}
如图所示,我的 JavaScript 无法理解数据并失败。我该怎么做才能解决这个问题。
最佳答案
您需要根据您打算如何使用数据来转换数据。在本例中,您拥有用于 javascript 上下文的数据,因此您需要使用 ESAPI.encode().escapeForJavaScript() 以及指向接口(interface) here. 的链接。
如果您要发送要直接呈现到页面的数据,那么您将使用 ESAPI.encode().encodeForHTML()。
但就目前情况而言,即使使用 javascript 转义也可能不起作用,因为您正在尝试对整个 JSON 对象进行编码。为了使其正常工作,您需要确保每个单独的数据元素都针对 javscript 上下文进行转义。
例如,编码到此 JSON 的代码:
{
"id": "SBNK.NS",
"cell": {
"ser": "EQ",
"bdlt": 1,
"e": "NSE",
"chigh": "128.85",
"tick": "0.05",
"m": 1,
"prec": 2,
"W\/L": null,
"exch": "nse_cm",
"tk": "7179",
"action": "<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>",
"rowtoken": "NSE7179",
"ts": "SBNK.NS",
"clow": "105.45"
}
假设它的java代码在服务器上,你会想要这样做:
public void someControllerMethod(httpReq, httpResp){
DataObject myData = somthingFromADao.getBean();
ViewBean vBean = new vBean();
vBean.setId(encoder.escapeForJavaScript(myData.id));
Cell myCell = myData.getCell();
Cell vCell = new vCell();
vCell.setSer(encode.escapeForJavaScript(myCell.getSer()));
// ...^^^can be done as a "populate" method or some similar pattern.
//Marshall as JSON
}
数据集中唯一可能让您头疼的似乎是“action”字段:它显然试图注入(inject)要呈现的 HTML。 Veracode 不会标记它,但您必须确保您也在监视该 vector 是否存在 XSS。应该重新构建它,这样您就不必将动态生成的代码作为数据元素传递。如今大多数 XSS 都是基于 DOM 的,因此您尽可能不想在浏览器中编写 HTML。
关于java - 如何在 javascript 中使用 easpi 的规范化数据,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28271938/