我正在使用Java Servlet和JSPS开发Web应用程序。我想确保我的应用程序安全,这就是为什么我运行一些工具并
得到了有关跨站点脚本的报告。请找到以下代码:
SampleServlet.java:
String key = ExternalAuthentication.startExternalAuthentication(request);
request.setAttribute("authParam", authParam);
out.write("<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\"> \n");
out.write("<html><body onload=\"document.forms[0].submit()\">\n");
out.write("<form method=\"POST\" action=\"" + request.getContextPath() + targetPage + "\">\n");
out.write("<input type=\"hidden\" name=\"actionUrl\" value=\"" + actionUrlBuilder.toString() + "\"/>\n");
out.write("<input type=\"hidden\" name=\"authParam\" value=\"" + request.getAttribute("authParam") + "\"/>\n");
out.write("</form>\n</body>\n</html>\n");
The above `setAttribute` will be used in JSP by saying
在jsp中:
// I am referring to the request attributes that have been contaminated. - comment from tool
//for context HTML double quoted is not properly sanitized for attribute, request.getAttribute ( "authParam" ) linked to an
//HTML page of There is a risk that lead to cross-site scripting - comment from tool
request.getAttribute("authParam");
谁能建议如何解决它?在设置为请求之前是否需要对
authParam值进行编码? 最佳答案
我们将其作为输入隐藏变量并显示jsp页面(登录)
尝试使用以下任一方法:
c:out:<c:out value="${authParam}" />
JSTL EL fn:escapeXml方法:${fn:escapeXml(authParam)}
这两个都针对data state上下文或HTML double-quoted attribute上下文的转义数据。首先将从JSP页面范围中搜索值authParam,然后是request属性。如果只想搜索请求属性,请在页面范围内设置一个变量,并在requestScope之前添加前缀,例如requestScope.authParam。
但是,您的问题是this question的重复项。我没有足够的代表来举报。