我不够明确.我提供的示例仅在听起来像是作为原始HTML存入时才针对HTML属性进行转义.上面的一般示例已经过修改.使用您的示例，尝试: < form method ='post'name ='< s:属性值=< esapi:encodeForHTMLAttribute>'tableBean.formName'< esapi:encodeForHTMLAttribute>/>'action ='Notification.action'> 我已经习惯了JSTL语法，所以我不是100％肯定将变量包装在这里的最佳方法.您将不得不玩它.或者，您可以向 tableBean 添加一个方法，如 tableBean.attributeEscapedFormName ，该方法类似于: 公共类TableBean {字符串formName;公共字符串htmlAttributeEscapedFormName(){返回ESAPI.encoder().escapeForHTMLAttribute(formName);}} I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application.<%@ taglib prefix="s" uri="/struts-tags" %><form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'>public String printApplications() throws IOException, ServletException { request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean);}What would be the proper syntax to use ESAPI to encode tableBean.formName? 解决方案 Before:<html lang="${myVar}">The appropriate syntax would look like this:<%@ taglib uri="/WEB-INF/tld/esapi.tld" prefix="esapi" %><html lang="<esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>">In your case, use HTMLAttribute because the value you're getting dynamically is being inserted into the "name" attribute on the tag. If it was going to be say, in a p-tag, you'd use esapi:encodeForHTML. <p><esapi:encodeForHTML>${myVal}</esapi:encodeForHTML></p>Also, if the value would be received by a javascript function on rendering, esapi:encodeForJavaScript.Encoding always has a proper context, and the context is answered by the question, "What kind of interpreter will first receive this data?"=============================================I wasn't explicit enough. The example I provided will only escape for HTML attributes when it sounds like it's being deposited as raw HTML. The general example above has been reworked.Using your example, try:<form method='post' name='<s:property value=<esapi:encodeForHTMLAttribute>'tableBean.formName'<esapi:encodeForHTMLAttribute>/>' action='Notification.action'>I'm used to JSTL syntax, so I'm not 100% sure the best way to wrap your variable here. You'll have to play with it. Alternatively, you could add a method to tableBean like tableBean.attributeEscapedFormName which would look like:public class TableBean{ String formName; public String htmlAttributeEscapedFormName(){ return ESAPI.encoder().escapeForHTMLAttribute( formName ); }} 这篇关于我正在获得跨站脚本:Struts调用对bean类的验证不正确的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！ 上岸，阿里云！