问题描述
我们如何使用Java和spring-mvc在应用程序中实现ESAPI输出编码.
How can we implement ESAPI output encoding in an application using java and spring-mvc.
阅读许多帖子,并看到以下内容:
Read many posts and saw this:
<%@ page import="org.owasp.esapi.*" %>
<input type="hidden" name="hidden" value="<%out.print(ESAPI.encoder().encodeForHTML(content));%>"/>
但是,在我的应用程序中,所有jsps都使用如下的spring形式标签,
But, in my application all the jsps use spring form tags like the following,
<td>Number:
<form:input path="someNo" size="20" maxlength="18" id="firstfield" onkeypress="return PressAButton('submithidden');"/></td>
如何为上述代码提供ESAPI实现?还有其他实现输出编码的方法,例如创建过滤器或其他方法?任何建议,我们将不胜感激!
How can I have ESAPI implementation for above code? is there any other way of implementing output encoding like creating a filter or something? Any suggestions are greatly appreciated!
推荐答案
在对spring标记进行了一些研究之后,似乎数据绑定发生在框架代码中,从而使您无法在jsp中应用任何转义.
After researching spring tags a bit, it appears that the data-binding happens in framework code thus preventing you from applying any escaping in the jsp.
一个半快速的获胜可能是默认所有输出都转义为HTML.将此条目添加到web.xml中:
One, semi-quick win could be defaulting all output to escape HTML. Add this entry in web.xml:
<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>
这里唯一的问题是输出转义是一个很大的难题...当要将值作为数据传递给HTML属性或Javascript函数时,html转义的规则是不同的.在应用程序的某些部分,您可能不想对HTML进行转义,但是您应该能够在需要时使用表单标签属性htmlEscape="false"
覆盖这些部分.
The only problem here is that output-escaping is a BIG pain... the rules for html escaping are different when your value is going to be passed as data to an HTML attribute or a Javascript function. And there could be some parts of your application where you DO NOT want to html escape, but you should be able to override those with the form tag attribute htmlEscape="false"
when you need to.
您需要的是能够将Spring标记的一部分钩到将HTML绑定到表单的位置,但是您需要能够做到这一点,以便可以根据其放置位置进行转义.与纯HTML相比,HTMLAttribute的转义规则有所不同,并且该值将作为数据传递到javascript函数.因此,Spring的解决方案只能防御一类攻击.
What you need is to be able to hook the part of Spring tags where it is binding the HTML to the form, but you need to be able to do it so you can escape based on where its being placed. Escaping rules are different for an HTMLAttribute as opposed to plain HTML and if the value is going to be passed as data to a javascript function. So Spring's solution only defends one category of attack.
这些是我看到的唯一出路,所有这些都需要工作:
These are the only ways out I see, all of them will require work:
-
使用JSTL标记而不是Spring标记,因此您可以使用
${thisSyntax}
编写变量,并将其包装在esapi标记中,如下所示:
Use JSTL tags instead of Spring tags so you can write your variables with
${thisSyntax}
and wrap them in esapi tags like this:
<c:out value="<esapi:encodeForHTML>${variable}</esapi:encodeForHTML>"/>
遵循@A之类的解决方案. Paul提出了,您在哪里进行上下文回溯到控制器端.我知道您觉得这不是一个选择,但是我提出的下一个解决方案未经测试.
Follow a solution like what @A. Paul put forward, where you do your context escaping back on the controller side. I'm aware you feel that this isn't an option, but the next solution I'm putting forward is untested.
实现您自己的标签库,该标签库是[org.springframework.web.servlet.tags.form.InputTag][1]
的子类,尤其是方法writeValue
.尽管esapi可以防止很多情况,但我还是建议您查看owasp的新的编码器项目 t,向您确切显示输出编码的技巧.理想情况下,您的标签库将允许您使用esapi的Encoder或此新API.
Implement your own tag library that subclasses [org.springframework.web.servlet.tags.form.InputTag][1]
, specifically the method writeValue
. While esapi prevents alot, I would recommend looking at owasp's new Encoder project to show you exactly how tricky output encoding is. Ideally your tag library will allow you to utilize either esapi's Encoder or this new API.
这篇关于Spring表单标签的ESAPI实现的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!