以下是servlet和JSP代码,让我知道如何保护它们免受XSS的攻击?
Servlet代码:
String strRequestScrip = SecurityCheck.getStringParameter(request,PARAM_SCRIP_CODE);
List arrScripLocator = MarketWatchUtils.getEqScripLocator(strRequestScrip, strExchangeCode, application);
request.setAttribute("arrScripLocator", arrScripLocator);
request.getRequestDispatcher("/ajax/ajaxScripLocator.jsp").forward(request, response);
Jsp代码:
final List arrScripLocator = (List) request.getAttribute("arrScripLocator");
int intScripLocatorSize = arrScripLocator != null ? arrScripLocator.size() : 0;
intScripLocatorSize = intScripLocatorSize <= 20 ? intScripLocatorSize : 20;
out.print(intScripLocatorSize);
答案 0 :(得分:1)
您应该使用 Jsoup 来清理请求。 代码如下所示:
String unsafe ="<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
// now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>
我建议您也阅读OWASP XSS Filter Evasion Sheet。