为了防止跨站脚本 (XSS),我使用 OWASP 推荐的 ESAPI (Enterprise Security API) 。 The esapi.jar file has been included with prior version of ColdFusion,但在 CF10 中,您现在可以轻松调用其中一些有用的函数:encodeForJavascript()
、encodeForHTML()
、encodeForURL()
、encodeForCSS()
和 encodeForHTMLAttribute()
。
我在使用 encodeForJavascript()
时遇到问题,我失去了反斜杠...
<cfoutput>
<cfif isDefined("url.name")>
<!--- Here is the problem, this is identical to the original ascii32to126 string except for one char is missing, the backslash between the brackets ...Z[]... --->
#url.name#
<cfabort>
</cfif>
<!---
ASCII 32 thru 126
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
In the line below I double up on the double-quotes and pounds in order to get the cfset to work
--->
<cfset ascii32to126 = "!""##$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~">
<script>
function locateTo(value)
{
window.location='thisPage.cfm?name='+encodeURIComponent(value);
//alert('thisPage.cfm?name='+encodeURIComponent(value));
}
locateTo('#encodeForJavaScript(ascii32to126)#');
</script>
</cfoutput>
我首先调用 encodeForJavaScript()
因为我们处于 JavaScript 上下文中。
然后我调用 encodeURIComponent()
以确保 URL 构建正确。
一切正常,但在结果页面上我丢失了反斜杠 \
。我在这里缺少什么?
(是的,我知道我还必须保护输出 #url.name#
的位置。对于这个实验,我没有这样做,因为我需要查看源代码以查看是否字符串与原始字符串匹配。)
** 更新 ** - 我正在运行 ColdFusion 10,并应用了所有最新补丁。问题似乎出在 encodeForJavaScript()
中。
JSStringFormat()
也失败。这样做表明两者都缺少反斜杠...
<cfset ascii32to126 = "!""##$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~">
<cfoutput>
#encodeForHTML(encodeForJavaScript(ascii32to126))#
<br><br>
#encodeForHTML(JSStringFormat(ascii32to126))#
</cfoutput>
最佳答案
FWIW,我们使用所有的encodeForX函数已经一年多了,只有当开发人员使用错误的上下文时才会出现问题。我们严格禁止使用 HTMLEditFormat,并让 Jenkins 服务器检查它(以及其他非法函数和标签),因为构建全天运行。
您正在对 JavaScript 字符串进行编码,然后对 URL 进行编码。我相信你应该首先对 URL 进行编码,然后对 JavaScript 进行编码。当我将输出与未编码的字符串进行比较时,似乎没有任何丢失的字符。
<cfoutput>
<cfif isDefined("url.name")>
<!--- Here is the problem, this is identical to the original ascii32to126 string except for one char is missing, the backslash between the brackets ...Z[]... --->
#url.name#
<cfabort>
</cfif>
<!---
ASCII 32 thru 126
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
In the line below I double up on the double-quotes and pounds in order to get the cfset to work
--->
<!--- Using Chr() to bypass character escaping. --->
<cfset ascii32to126 = "!#chr(34)##chr(35)#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~">
<cfdump var="#ascii32to126#" />
<script>
function locateTo(a, b) {
console.log(a); // 1. JavaScript Encoded.
console.log(b); // 2. URL encoded, then JavaScript encoded.
console.log(decodeURIComponent(b));// 3. Matches JavaScript encoded.
console.log( 'thisPage.cfm?name=' + b ); // 4. Correct string.
}
locateTo('#encodeForJavaScript(ascii32to126)#', '#encodeForJavaScript(encodeForURL(ascii32to126))#');
</script>
</cfoutput>
控制台输出
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
%21%22%23%24%25%26%27%28%29*%2B%2C-.%2F0123456789%3A%3B%3C%3D%3E%3F%40ABCDEFGHIJKLMNOPQRSTUVWXYZ%5B%5C%5D%5E_%60abcdefghijklmnopqrstuvwxyz%7B%7C%7D%7E
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
thisPage.cfm?name=%21%22%23%24%25%26%27%28%29*%2B%2C-.%2F0123456789%3A%3B%3C%3D%3E%3F%40ABCDEFGHIJKLMNOPQRSTUVWXYZ%5B%5C%5D%5E_%60abcdefghijklmnopqrstuvwxyz%7B%7C%7D%7E
关于javascript - ColdFusion 编码问题 -encodeForHTML 和encodeForJavascript 删除反斜杠,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23395912/