我正面临着jsf实施的问题,或者我身边的一些误解:
我有以下内容:( param包含恶意javascript块)
<h:outputText value="#{param}"/> <!-- this block does not escape param block -->
#{param} <!-- Also, this one does not escape param -->
<weirdTag weirdParam="#{param}"/> <!-- WTF, this one is escaped -->
因此,当EL未包含在xhtml标签中时,我似乎遇到了问题,显然当标签中发生替换时,这会产生一个大问题
<script>
var val="#{param}"; // This is not escaped, so XSS is possible
</script>
以下是我的设置:
的pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.drm.test</groupId>
<artifactId>web_test</artifactId>
<packaging>war</packaging>
<version>1.0-SNAPSHOT</version>
<name>web_test Maven Webapp</name>
<url>http://maven.apache.org</url>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.sun.faces</groupId>
<artifactId>jsf-api</artifactId>
<version>2.1.29</version>
</dependency>
<dependency>
<groupId>com.sun.faces</groupId>
<artifactId>jsf-impl</artifactId>
<version>2.1.29</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>taglibs</groupId>
<artifactId>standard</artifactId>
<version>1.1.2</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.1.2</version>
</dependency>
<dependency>
<groupId>com.sun.facelets</groupId>
<artifactId>jsf-facelets</artifactId>
<version>1.1.14</version>
</dependency>
</dependencies>
<build>
<finalName>web_test</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.3.1</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
</plugins>
</build>
</project>
的index.xhtml
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core">
<body>
#{param['requestParam']}
<!-- ESCAPED!! -->
<kkk value="#{param['requestParam']}" />
<!-- NOT ESCAPED -->
#{param['requestParam']}
<h:outputText value="#{param['requestParam']}" escape="true" />
<script>
<!-- NOT ESCAPED XSS -->
<h:outputText value="#{param['requestParam']}" escape="true"/>
</script>
</body>
</html>
使用url:
调用时输出html(在浏览器中查看源代码)http://localhost:8080/web_test/index.jsf?requestParam=jsMethod("")
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" >
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
jsMethod("");
<!-- ESCAPED!! -->
<kkk value="jsMethod("");"></kkk>
<!-- NOT ESCAPED -->
jsMethod("");jsMethod("");
<script>
<!-- NOT ESCAPED XSS -->jsMethod("");
</script>
</body>
</html>
答案 0 :(得分:0)
标记的属性为escape。
这将转义标记输出中的任何敏感HTML。默认情况下这是真的,单独不会阻止XSS注入攻击。为此,您需要实现ServletFilter,从所有请求参数中过滤XSS注入尝试。
以下项目可用于清理请求参数,在使用此参数的Web应用程序中编写servlet过滤器应该不会太难。