问题描述
我有一些旧的ColdFusion代码.它最初是为CF9编写的,但现在可以在CF 2016上运行.
I am have some old ColdFusion code. It was originally written for CF9, but is now running on CF 2016.
application.cfc
local.esapi = createObject("java", "org.owasp.esapi.ESAPI");
application.esapiEncoder = local.esapi.encoder()
很久以后
常规页面
form.Reason = application.esapiEncoder.encodeForHtml(form.Reason);
我正在考虑将其替换为
form.Reason = encodeForHTML(form.Reason);
这些功能是否相同?
推荐答案
是的, encodeForX()函数在后台使用OWASP的ESAPI. encodeForHTML()是CF10 +,并具有一个 canonicalize 参数,该参数将输入降至最低因子.CF2016在 cfoutput 标记中添加了一个 encodeFor 参数,以进行类似的输出.还有 canonicalize()函数将引发您可以捕获的错误.这对于查看是否有人试图在您的表单或站点上添加恶意输入很有用.我想不出对输入进行双重或多重编码的正当理由,我会解释为例如攻击. encodeForX()函数中的参数会将其带到其基础评估中,但不会引发错误,只会返回结果输出.就我个人而言,我不确定会有很多偶然的方式来传递规范化会采用的值,而我只是想抓住这种尝试并将该用户踢出我的网站.
Yes, the encodeForX() functions use OWASP's ESAPI behind the scenes. encodeForHTML() is CF10+ and has a canonicalize argument, which takes the input down to its lowest factor. CF2016 added an encodeFor argument to a cfoutput tag for outputting that does similar. There's also the canonicalize() function that will throw an error that you can catch. That's useful for seeing if someone is trying to throw nefarious inputs at your form or site. I can't think of a legit reason for double- or multi-encoding an input, and I would interpret such as an attack. The argument in the encodeForX() function will take it down to its base evaluation, but it doesn't throw an error and just returns the resulting output. Personally, I'm not sure that there's much of an accidental way to pass a value that would be picked up by canonicalization, and I'd simply rather catch that attempt and kick that user off of my site.
https://www.owasp.org/index.php/Category:Encoding
这篇关于ColdFusion通过Java执行OWASP esapi的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!