如何在Java Web项目中显示存储为BLOB对象的数据,并避免持久的跨站点脚本漏洞?
respond()中的方法ViewDeliveredReportsPage.java将未经验证的数据发送到line 2775上的网络浏览器,这可能导致浏览器执行恶意代码。
2773 byte[] barray = new byte[byteLen];
2774 barray = blob.getBytes(1,byteLen);
2775 httpResponse.getOutputStream().write(barray);
2776 } catch (SQLException e) {
2777 logger.error("ERROR onSelectionChanged
答案 0 :(得分:0)
在传递要显示的数据之前,您需要将其转义。 OWASP ESAPI库似乎是一个不错的选择。您可以在此处找到它:https://code.google.com/p/owasp-esapi-java/downloads/list
byte[] barray = new byte[byteLen];
barray = blob.getBytes(1,byteLen);
//You'll probably have to convert this to a string first - I am not too
//familiar with Java, but the principal is the same.
String output = ESAPI.encoder().encodeForHTML(barray);
httpResponse.getOutputStream().write(output);
} catch (SQLException e) {
logger.error("ERROR onSelectionChanged
值得一读这张备忘单:https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet