问题描述
这是一个很好的页面,其中列出了所需的功能:
所以我试图将其与Play模板功能相关联,并充分了解Play的功能和功能。
- HTML转义:
$ {}或escape()功能 - 属性转义:我找不到内置解决方案
- JavaScript转义:有一个
escapeJavaScript() - CSS转义:我找不到内置解决方案
- URL转义:noth特别的内置但通常的Java解决方案,例如 - 更新:在
另一个困惑是支持 index.json (即使用模板构建JSON而不是HTML)。 $ {} 神奇地切换到JSON文档中的JavaScript转义,或者仍然转义为HTML,因此JSON模板中的所有内容都必须具有明确的 escapeJavaScript()?
在,但对于任何可以想到的情况来说似乎都不正确。 (?)
有一个关于如何在Play中完成所有转义的风格的全面指南是件好事。它看起来像我的答案是滚动自己的在几种情况下,但也许我错过了包括的内容。
我一直在寻找这个决定,根据你已经拥有的这个写的自己的答案,这个和我自己的一些实验
HTML转义:
- $ {}或escape()函数
属性转义:(常用属性)
- 只要用双引号()并使用$ {}将属性打包,就可以进行处理。
- 对于复杂的属性(href / src / etc)见下面的JavaScript
- 示例不安全的代码
-
< a id = $ {data。 value} href =...> ...< / a> -
< a id ='$ {data.value}'href =...> ...< / a>
-
- 这将导致data.value:
-
%href = javascript:alert('XSS') -
%'href = javascript:alert(window.location)
-
JavaScript转义(和复杂属性)
- 使用escapeJavaScript()。
- 示例不安全代码
-
< a onmouseover =x ='$ {data.value} '; ...href =...> ...< / a>
-
- 这将导致data.value:
-
'; javascript:alert(window.location); //
-
CSS转义:
- 不知道我不需要这个。
- 我想象你需要创建自己的某种方式。希望有一些东西可以为您操纵字符串。
URL转义:
- 使用urlEncode()。
I'm trying to map out how the Play framework supports escaping.
This is a nice page spelling out the needed functionality: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
So I'm trying to relate that to Play template features and fully understand what Play does and doesn't do.
- HTML escaping:
${}or theescape()function - Attribute escaping: I can't find a built-in solution
- JavaScript escaping: there's an
escapeJavaScript()http://www.playframework.org/documentation/1.2/javaextensions - CSS escaping: I can't find a built-in solution
- URL escaping: nothing special built-in, but usual Java solution e.g. Java equivalent to JavaScript's encodeURIComponent that produces identical output? - Update: there's urlEncode() at http://www.playframework.org/documentation/1.2/javaextensions
Another point of confusion is the support for index.json (i.e. using templates to build JSON instead of HTML). Does ${} magically switch to JavaScript escaping in a JSON document, or does it still escape HTML, so everything in a JSON template has to have an explicit escapeJavaScript()?
There's also an addSlashes() on http://www.playframework.org/documentation/1.2/javaextensions , but it doesn't seem quite right for any of the situations I can think of. (?)
It would be great to have a thorough guide on how to do all the flavors of escaping in Play. It looks to me like the answer is "roll your own" in several cases but maybe I'm missing what's included.
I've been looking into this so decided to write up my own answer based on what you already had, this OWASP cheat sheet and some experimentation of my own
HTML escaping:
- ${} or the escape() function
Attribute escaping: (common attributes)
- This is handled in play so long as you wrap your attributes in double quotes (") and use ${}.
- For complex attributes (href/src/etc.) see JavaScript below
- Example unsafe code
<a id=${data.value} href="...">...</a><a id='${data.value}' href="...">...</a>
- This would break with this for data.value:
% href=javascript:alert('XSS')%' href=javascript:alert(window.location)
JavaScript escaping: (and complex attributes)
- Use escapeJavaScript(). http://www.playframework.org/documentation/1.2/javaextensions
- Example unsafe code
<a onmouseover="x='${data.value}'; ..." href="...">...</a>
- This would break with this for data.value:
'; javascript:alert(window.location);//
CSS escaping:
- Not sure as I've no need for this.
- I'd imagine you'd need to create your own somehow. Hopefully there is something out there to manipulate the strings for you.
URL escaping:
- use urlEncode(). http://www.playframework.org/documentation/1.2/javaextensions
这篇关于在Play框架中正确转义的指南的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!