String safeOutput = ESAPI.encoder().encodeForHTML(request.getParameter("temp"));
上面没有用,它没有验证。 (插入所有必需的罐子并导入所有文件)。那么我们可以直接使用输出验证吗?
答案 0 :(得分:1)
验证输入
我会使用Hibernate Validator' @SafeHtml注释:
class MyEntity {
@SafeHtml
private String title;
...
}
不要对输入进行编码,验证它。您希望在数据库中阻止XSS或可能的XSS。
您可以验证控制器和/或存储库中的输入。
编码输出
使用OWASP' Java Encoder Project。在JSP中,您可以执行以下操作:
<e:forHtml value="${attr}" />
答案 1 :(得分:0)
The code you pasted is not validation code. This is output escaping. If you want to validate a piece of code, you want to use one of the many ESAPI.validator().getValidInput() methods that works in combination with validation.properties.
Also, if your idea is to do validation on output, DON'T do that. In principle it means you'll accept malicious data in the application and then only check for its evilness when you go to output it. Keep it from entering your application in the first place! Escape the output. Always escape the output according to context!
This answer gives four examples of how to think about output escaping--don't forget about your contexts!!!! And the accepted answer also guides you in a more complete solution for handling XSS beyond that.