我使用下面提到的布尔语句来知道我从输入框中获得的字符串是否包含任何特殊字符。我想知道它是一种防止XSS攻击的好方法,可以绕过这个过滤器吗?
!id.matches(".*[%#^<>&;'\0-].*")
这是完整的代码
package pack.java;
import pack.java.findrequestmodel;
import java.io.*;
import java.lang.*;
import org.apache.commons.lang.StringEscapeUtils;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.jsp.*;
import javax.servlet.jsp.tagext.*;
public class findrequestcontrol extends TagSupport
{
HttpServletRequest request;
HttpServletResponse response;
public int doStartTag() throws JspException
{
request = (HttpServletRequest) pageContext.getRequest();
response = (HttpServletResponse) pageContext.getResponse();
return EVAL_PAGE;
}
public ResultSet check()
{
JspWriter out = pageContext.getOut();
Connection con;
ResultSet rs = null;
CallableStatement stmt;
String checkreq = "";
String reqnum = (String) findrequestmodel.requestno.trim();
try
{
Class.forName("oracle.jdbc.driver.OracleDriver");
}
catch (ClassNotFoundException ex)
{
}
try
{
if (!reqnum.matches(".*[%#^<>&;'\0-].*") )
{
con = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:XE","gaurav","oracle");
stmt=con.prepareCall("begin requestdetail(?); end;");
stmt.setString(1,reqnum);
rs=stmt.executeQuery();
}
else
out.println("Invalid Number");
}
catch(SQLException ex)
{
}
catch(Exception ex)
{
}
return rs;
}
public int doEndTag() throws JspException
{
JspWriter out=pageContext.getOut();
ResultSet rs=check();
try
{
if (!rs.next())
{
out.println("no data found");
}
else
{
out.println("<table border=2>");
out.println("<tr>");
out.println("<th>EmployeId</th>");
out.println("</tr>");
do
{
out.println("<tr>");
out.println("<td>"+rs.getString(1)+"</td>");
out.println("</tr>");
} while (rs.next());
}
}
catch(Exception ex)
{
}
return super.doEndTag();
}
}
下面是jsp页面,在此处输入字符串,并在提交时重定向到调用标记的其他页面。
<html>
<head>
</head>
<body>
<form method=post>
<input type=text style="color:grey" name=reqno </br>
<input type = submit name = submit value = Submit>
<%
String r=request.getParameter("reqno");
String btn=request.getParameter("submit");
HttpSession session1=request.getSession();
session1.setAttribute("requestno",r);
if (btn != null)
response.sendRedirect("findrequest1.jsp");
%>
</form>
</body>
</html>
此处调用标记
<jsp:useBean id="MrBean" class="pack.java.findrequestmodel"/>
<jsp:setProperty name="MrBean" property="requestno" value=""/>
<%@ taglib uri="/WEB-INF/jsp2/taglib8.tld" prefix="easy" %>
<html>
<head>
<body>
<form method=post>
<input type = submit name = submit value = Back>
<%
HttpSession mysession = request.getSession();
String req = (String) mysession.getAttribute("requestno");
MrBean.setRequestno(req);
String btn = request.getParameter("submit");
if (btn != null)
response.sendRedirect("findrequest.jsp");
%>
<easy:myTag8/>
</form>
</body>
</html>
答案 0 :(得分:1)
实际上你想要的是使用特殊字符来防止 XSS 攻击。所以你真的不必关心字符串中的字符。在对数据库执行任何操作之前,只需使用与PHP中htmlspecialchars()具有相同目的的函数,就可以使用它们。
显然,这种转换也可以用Java完成。
String source = "Escape the less than sign (<) and ampersand (&)";
String escaped = StringEscapeUtils.escapeHtml(source);
// Will output "Escape the less than sign (<) and ampersand (&)"
String escaped = StringUtils.replaceEach(source, new String[]{"&", "<"}, new String[]{"&", "<"});
编辑:
举个例子,你必须在变量reqnum中包含特殊字符,因为你将在SQL请求中使用它:
String checkreq="";
String reqnum=(String)findrequestmodel.requestno.trim();
reqnum = StringEscapeUtils.escapeHtml(reqnum); // Espace special characters
// ... skipped code ...
rs=stmt.executeQuery(" select * from myadmin where reference_no='"+reqnum+"'"); // Safe
替代(和更好)解决方案
你不应该自己处理这个问题,而是使用一个名为PreparedStatement的东西来为你做这件事,以及其他有用的东西。
答案 1 :(得分:0)
服务器端代码:
<input type="text" name="something" value="<%= something %>">
攻击:
" onfocus=alert(1) autofocus b=
结果:
<input type="text" name="something" value="" onfocus=alert(1) autofocus b=">
输入验证不太可能阻止所有XSS攻击。专注于输出转义:https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet