java 我应该在哪里转义 HTML 字符串、JSP 页面或 Servlet?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4948532/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Where should I escape HTML strings, JSP page or Servlets?
提问by Basil Musa
I would appreciate providing me with a set of clear guidelines or ruling for handling escaping strings. What I use for escaping strings is the apache commons-lang-x.x.jar library. Specifically the StringEscapeUtils.escapeHtml(String toEscape)method.
我很感激为我提供一套处理转义字符串的明确指导方针或规则。我用于转义字符串的是 apache commons-lang-xxjar 库。具体StringEscapeUtils.escapeHtml(String toEscape)方法。
I need to know:
我需要知道:
(1) Where is it better to escape strings, on the JSP page or in the Servlet?
(1) 转义字符串在哪里比较好,在JSP页面还是在Servlet中?
(2) What do you recommend StringEscapeUtils.escapeHtml(..) or <c:out> from JSTL
(2) JSTL 的 StringEscapeUtils.escapeHtml(..) 或 <c:out> 推荐什么
(3) Handling multiline strings, which is better, use <br> directly in the string, or \n and a nl2br() method:
(3) 处理多行字符串,这样更好,直接在字符串中使用<br>,或者\n和一个nl2br()方法:
String strError = "Invalid username.\nPlease try again.";
String strError = "Invalid username.\nPlease try again.";
or
或者
String strError = "Invalid username.<br>Please try again.";
String strError = "Invalid username.<br>Please try again.";
(4) How would I go escaping strings that receive wild cards, example:
(4)我将如何转义接收通配符的字符串,例如:
String strError = "Invalid user [%s].<br>Please specify another user."
String strError = "Invalid user [%s].<br>Please specify another user."
(5) Since javascript escape characters are different. What should I use to escape Java strings that are to be rendered inside the javascript sections of the JSP page (eg. var name = "<%=javaStringHoldingName%>").
(5) 由于javascript转义字符不同。我应该使用什么来转义要在 JSP 页面的 javascript 部分中呈现的 Java 字符串(例如var name = "<%=javaStringHoldingName%>")。
采纳答案by BalusC
You only need to escape it exactly there where it can harm. In this particular case, it's in the view. User-controlled HTML can harm when it get inlined among all your HTML in the view. This is a source for XSS.
你只需要在它可能造成伤害的地方逃离它。在这种特殊情况下,它在视图中。当用户控制的 HTML 内联在视图中的所有 HTML 中时,它可能会造成危害。这是 XSS 的来源。
In a well-designed JSP page (read: noscriptlets), JSTL offers you the <c:out>tag and fn:escapeXml()function to escape HTML/XML.
在设计良好的 JSP 页面(阅读:无scriptlets)中,JSTL 为您提供了转义 HTML/XML的<c:out>标记和fn:escapeXml()函数。
<c:out value="${param.foo}" />
<input type="text" name="foo" value="${fn:escapeXml(param.foo)}" />
回答by David
I would probably not pass a String object, but instead just pass an error object up to the view and let the jsp do whatever it wants
我可能不会传递一个 String 对象,而是将一个错误对象传递给视图并让 jsp 做它想做的任何事情
In the controller:
在控制器中:
errorObj.name = "invalid login";
errorObj.description = "try again";
In the view:
在视图中:
<c:out value="${errorObj.name}" /><br /><c:out value="${errorObj.description}" />
Not really related to your question, but it's also a good practice to use a message like, "invalid login attempt" no matter what the login error really is. The message you are giving, "invalid username" lets someone intent on hacking your accounts know if they have a good username that they can use to then attack the password with. If this is exposed publicly, this can be a small, but very real, issue.
与您的问题并不真正相关,但无论登录错误究竟是什么,使用“无效的登录尝试”之类的消息也是一个好习惯。您提供的消息“无效的用户名”让有意入侵您帐户的人知道他们是否有可以用来攻击密码的好用户名。如果这被公开曝光,这可能是一个很小但非常真实的问题。
回答by Shan Plourde
For two of your questions:
对于您的两个问题:
1) Escaping strings for display purposes - I would consider this a view concern. Your JSP could handle this, if you're using your JSP as a view.
1)出于显示目的转义字符串 - 我认为这是一个视图问题。如果您将 JSP 用作视图,则您的 JSP 可以处理此问题。
3) Error messages from your models / business logic layer should not include formatting such as newline characters. Let your view determine how to format error messages. With HTML, the use of a div tag with appropriate width styling can eliminate the need for br tags, for example.
3) 来自模型/业务逻辑层的错误消息不应包含换行符等格式。让您的视图决定如何格式化错误消息。例如,对于 HTML,使用具有适当宽度样式的 div 标签可以消除对 br 标签的需要。
