英文:
I am not sure how to perform html escaping in my java project to prevent XSS
问题
以下是您提供的代码的中文翻译:
只是一个提示,这是为了课堂。我本应该查看课堂材料,但那里没有解决这个问题(学校有点差劲)。当我问老师时,他说要谷歌搜索。我尝试过谷歌搜索,但可惜我的理解力还不够好。我的设置如下。这是一个使用DerbyDB、Glassfish 5、Java和JavaScript Servlet的Web应用程序。我知道这个问题在这里已经回答了100000次,但我就是理解不了...我有一个Java Web应用程序(没有使用Maven)。登录使用login.jsp,并通过authenticate.java进行身份验证。当然,这没有进行转义,所以容易受到跨站脚本攻击(XSS)。我只是不确定如何实现这一点。如果有人能指导我一下。如果有一个库或什么东西可以加载,如果有的话,如何使用它。login.jsp<%--文档:login创建时间:2015年8月10日 下午7:53:14作者:吉姆--%><%@page contentType="text/html" pageEncoding="UTF-8"%><!DOCTYPE html><html><head><title>SDEV425 登录</title><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="styles.css" rel="stylesheet" type="text/css"></head><body><div id="main"><%@include file="WEB-INF/jspf/menus.jspf" %><p></p><p></p><h2>登录</h2><% if (session.getAttribute("UMUCUserEmail") == null) {%><form action="Authenticate" method="post"><table class="center"><tr><td>Email: </td><td><input type="text" name="emailAddress" size="50" autofocus> </td></tr><tr><td>密码: </td><td><input type="password" name="pfield" size="50" autocomplete="off"></td></tr><tr><td>&nbsp;</td><td><input type="submit" name="SignIn" value="登录"></td></tr></table><p></p><!-- 如果有错误消息,则打印错误消息 --><% String e = (String) request.getAttribute("ErrorMessage");if (e != null) {out.print(e);}%></form><%} else {request.setAttribute("ErrorMessage", "您已经登录。");RequestDispatcher dispatcher = request.getRequestDispatcher("welcome.jsp");dispatcher.forward(request, response);}%></div></body></html>Authenticate.java/** 若要更改此许可标题,请在项目属性中选择许可标题。* 若要更改此模板文件,请选择工具 | 模板* 并打开模板在编辑器中进行编辑。*/package SDEV425_HW4;import java.io.IOException;import java.io.PrintWriter;import java.sql.Connection;import java.sql.ResultSet;import java.sql.PreparedStatement;import javax.servlet.RequestDispatcher;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import org.apache.derby.jdbc.ClientDataSource;/**** 作者:吉姆*/public class Authenticate extends HttpServlet {// 变量private String username;private String pword;private Boolean isValid;private int user_id;private HttpSession session;/*** 处理HTTP GET 和 POST 方法的请求。** @param request servlet 请求* @param response servlet 响应* @throws ServletException 如果发生 Servlet 特定错误* @throws IOException 如果发生 I/O 错误*/protected void processRequest(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {response.setContentType("text/html;charset=UTF-8");try (PrintWriter out = response.getWriter()) {/* 输出页面内容。您可以使用以下示例代码。 */out.println("<!DOCTYPE html>");out.println("<html>");out.println("<head>");out.println("<title>Servlet Authenticate</title>");out.println("</head>");out.println("<body>");out.println("<h1>在 " + request.getContextPath() + " 的 Servlet Authenticate</h1>");out.println("</body>");out.println("</html>");}}// <editor-fold defaultstate="collapsed" desc="HttpServlet methods. 点击左侧的 + 号以编辑代码。">/*** 处理 HTTP GET 方法。** @param request servlet 请求* @param response servlet 响应* @throws ServletException 如果发生 Servlet 特定错误* @throws IOException 如果发生 I/O 错误*/@Overrideprotected void doGet(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {processRequest(request, response);}/*** 处理 HTTP POST 方法。** @param request servlet 请求* @param response servlet 响应* @throws ServletException 如果发生 Servlet 特定错误* @throws IOException 如果发生 I/O 错误*/@Overrideprotected void doPost(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {// 获取POST 输入this.username = request.getParameter("emailAddress");this.pword = request.getParameter("pfield");this.isValid = validate(this.username, this.pword);response.setContentType("text/html;charset=UTF-8");// 设置会话变量if (isValid) {// 如果尚未创建会话对象,请创建一个会话对象。session = request.getSession(true);session.setAttribute("UMUCUserEmail", username);session.setAttribute("UMUCUserID", user_id);// 发送到欢迎 JSP 页面RequestDispatcher dispatcher = request.getRequestDispatcher("welcome.jsp");dispatcher.forward(request, response);} else {// 不是有效的登录// 将他们引导回登录界面request.setAttribute("ErrorMessage", "无效的用户名或密码。请重试或联系吉姆。");RequestDispatcher dispatcher = request.getRequestDispatcher("login.jsp");dispatcher.forward(request, response);}}/*** 返回 servlet 的简短描述。<details><summary>英文:</summary>Just a note, this is for class. I would go to the class material, but it doesn't address this(the school is kinda garbage). And when i ask the teacher, he says to google it. I've tried googling it, but my understanding is not good enough yet sadly.My setup is as follows. Its a web application that uses DerbyDB, Glassfish 5, Java and javascript servlets.I know this is answered 100000 times on here, but being as dense as i am... i am not getting it.i have a java web application (without maven). The login uses login.jsp and authenticates through authenticate.javaof course there is no escaping so its vulnerable to xss.I am just not sure how to implement this. If someone could guide me there. If there is a library or something to load and if so how to use it.login.jsp<%--Document : loginCreated on : Aug 10, 2015, 7:53:14 PMAuthor : jim--%><%@page contentType="text/html" pageEncoding="UTF-8"%><!DOCTYPE html><html><head><title>SDEV425 Login</title><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="styles.css" rel="stylesheet" type="text/css"></head><body><div id="main"><%@include file="WEB-INF/jspf/menus.jspf" %><p></p><p></p><h2>Login</h2><% if (session.getAttribute("UMUCUserEmail") == null) {%><form action="Authenticate" method="post"><table class="center"><tr><td>Email: </td><td><input type="text" name="emailAddress" size="50" autofocus> </td></tr><tr><td>Password: </td><td><input type="password" name="pfield" size="50" autocomplete="off"></td></tr><tr><td>&nbsp;</td><td><input type="submit" name="SignIn" value="Sign In"></td></tr></table><p></p><!-- Print Error Message if any --><% String e = (String) request.getAttribute("ErrorMessage");if (e != null) {out.print(e);}%></form><%} else {request.setAttribute("ErrorMessage", "You are already logged in.");RequestDispatcher dispatcher = request.getRequestDispatcher("welcome.jsp");dispatcher.forward(request, response);}%></div></body></html>Authenticate.java/** To change this license header, choose License Headers in Project Properties.* To change this template file, choose Tools | Templates* and open the template in the editor.*/package SDEV425_HW4;import java.io.IOException;import java.io.PrintWriter;import java.sql.Connection;import java.sql.ResultSet;import java.sql.PreparedStatement;import javax.servlet.RequestDispatcher;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import org.apache.derby.jdbc.ClientDataSource;/**** @author jim*/public class Authenticate extends HttpServlet {// variablesprivate String username;private String pword;private Boolean isValid;private int user_id;private HttpSession session;/*** Processes requests for both HTTP <code>GET</code> and <code>POST</code>* methods.** @param request servlet request* @param response servlet response* @throws ServletException if a servlet-specific error occurs* @throws IOException if an I/O error occurs*/protected void processRequest(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {response.setContentType("text/html;charset=UTF-8");try (PrintWriter out = response.getWriter()) {/* TODO output your page here. You may use following sample code. */out.println("<!DOCTYPE html>");out.println("<html>");out.println("<head>");out.println("<title>Servlet Authenticate</title>");out.println("</head>");out.println("<body>");out.println("<h1>Servlet Authenticate at " + request.getContextPath() + "</h1>");out.println("</body>");out.println("</html>");}}// <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code.">/*** Handles the HTTP <code>GET</code> method.** @param request servlet request* @param response servlet response* @throws ServletException if a servlet-specific error occurs* @throws IOException if an I/O error occurs*/@Overrideprotected void doGet(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {processRequest(request, response);}/*** Handles the HTTP <code>POST</code> method.** @param request servlet request* @param response servlet response* @throws ServletException if a servlet-specific error occurs* @throws IOException if an I/O error occurs*/@Overrideprotected void doPost(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {// Get the post inputthis.username = request.getParameter("emailAddress");this.pword = request.getParameter("pfield");this.isValid = validate(this.username, this.pword);response.setContentType("text/html;charset=UTF-8");// Set the session variableif (isValid) {// Create a session object if it is already not created.session = request.getSession(true);session.setAttribute("UMUCUserEmail", username);session.setAttribute("UMUCUserID", user_id);// Send to the Welcome JSP pageRequestDispatcher dispatcher = request.getRequestDispatcher("welcome.jsp");dispatcher.forward(request, response);} else {// Not a valid login// refer them back to the Login screenrequest.setAttribute("ErrorMessage", "Invalid Username or Password. Try again or contact Jim.");RequestDispatcher dispatcher = request.getRequestDispatcher("login.jsp");dispatcher.forward(request, response);}}/*** Returns a short description of the servlet.** @return a String containing servlet description*/@Overridepublic String getServletInfo() {return "Short description";}// </editor-fold>// Method to Authenticatepublic boolean validate(String name, String pass) {boolean status = false;int hitcnt=0;try {ClientDataSource ds = new ClientDataSource();ds.setDatabaseName("SDEV425");ds.setServerName("localhost");ds.setPortNumber(1527);ds.setUser("sdev425");ds.setPassword("sdev425");ds.setDataSourceName("jdbc:derby");Connection conn = ds.getConnection();String sql = "select user_id from sdev_users where EMAIL = ?";PreparedStatement stmt = conn.prepareStatement(sql);stmt.setString(1, this.username);ResultSet rs = stmt.executeQuery();while (rs.next()) {user_id = rs.getInt(1);}if (user_id> 0) {String sql2 = "select user_id from user_info where user_id = " + user_id + "and password = ?";PreparedStatement stmt2 = conn.prepareStatement(sql2);stmt2.setString(1, this.pword);ResultSet rs2 = stmt2.executeQuery();while (rs2.next()) {hitcnt++;}// Set to true if userid/password matchif(hitcnt>0){status=true;}}} catch (Exception e) {System.out.println(e);}return status;}}</details># 答案1**得分**: 2可以使用StringEscapeUtils.escapeHtml4()方法。```javaimport org.apache.commons.text.StringEscapeUtils;public class HTMLEscapeExample{public static void main(String[] args){String unEscapedString = ""<html>some-random-text</html>"";String escapedHTML = StringEscapeUtils.escapeHtml4(unEscapedString);System.out.println(escapedHTML); //浏览器现在可以解析并打印}}
//输出:
&lt;html&gt;some-random-text&lt;/html&gt;
英文:
You can use StringEscapeUtils.escapeHtml4() method.
import org.apache.commons.text.StringEscapeUtils;public class HTMLEscapeExample{public static void main(String[] args){String unEscapedString = "<html>some-random-text</html>";String escapedHTML = StringEscapeUtils.escapeHtml4(unEscapedString);System.out.println(escapedHTML); //Browser can now parse this and print}}//Output:&lt;html&gt;some-random-text&lt;/html&gt;
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论