在 Java 中转义 html
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2148799/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Escaping html in Java
提问by Kyle
How do I make sure I don't escape something twice?
我如何确保我不会两次逃避某些东西?
I've heard that its good practice to escape values as you receive them from a form, and also escape when you output. That way you have two chances to catch something.
我听说在从表单接收值时转义值是一种很好的做法,并且在输出时也转义。这样你就有两次机会钓到东西。
回答by BalusC
I presume that you're using JSP.
我假设您正在使用 JSP。
Just escape during displayonly. There for the JSTL<c:out>tag is perfectly suitable. It escapes HTML entities by default. Use it to display everyuser-controlled input, such as request URL, request headers and request parameters.
仅在显示期间转义。那里对于JSTL<c:out>标记非常适合。默认情况下,它会转义 HTML 实体。使用它来显示每个用户控制的输入,例如请求 URL、请求标头和请求参数。
E.g.
例如
<input type="text" name="foo" value="<c:out value="${param.foo}" />">
Escaping during input is not needed. XSSdoesn't harm in raw Java code nor in SQL databases. On the other hand, you would also rather save data unmodified in DB so that you can still see what the user actuallyentered, so that you can if necessary do social actions on mailicious users.
不需要在输入期间转义。XSS不会损害原始 Java 代码和 SQL 数据库。另一方面,您还希望将未修改的数据保存在 DB 中,以便您仍然可以看到用户实际输入的内容,以便您可以在必要时对邮件用户进行社交操作。
If you'd like to know what to escape during input, it would be SQL injection. In such case just use PreparedStatementinstead of regular Statementwhenever you want to save anyuser-controlled input in the database.
如果你想知道在输入过程中要转义什么,那就是SQL injection。在这种情况下PreparedStatement,Statement只要您想在数据库中保存任何用户控制的输入,就使用而不是常规。
E.g.
例如
create = connection.prepareStatement("INSERT INTO user (username, password) VALUES (?, MD5(?))");
create.setString(1, username);
create.setString(2, password);
create.executeUpdate();
回答by Asaph
You should only htmlencode when you output something to a browser. This prevents XSS attacks. The kind of escaping that you do when you collect data from a form, before you insert it into a database is nothtml encoding. It's escaping special database characters (best done using parameterized queries). The purpose of that is to prevent SQL injection attacks. So there is no double encoding going on.
当您将某些内容输出到浏览器时,您应该只进行html编码。这可以防止 XSS 攻击。在将数据插入数据库之前,从表单收集数据时所做的转义不是html 编码。它正在转义特殊的数据库字符(最好使用参数化查询完成)。这样做的目的是防止 SQL 注入攻击。所以没有进行双重编码。
回答by deamon
Content that is harmless in one context can be dangerous in another context. The best way to avoid injection attacks is to prepare the content before passing it to another context. In your case html text changes its context when it is passed to the browser. The server doesn't render the html but the browser does. So be sure to pass no malicious html to the browser and mask it before sending.
在一种情况下无害的内容在另一种情况下可能是危险的。避免注入攻击的最佳方法是在将内容传递到另一个上下文之前准备内容。在您的情况下,html 文本在传递给浏览器时会更改其上下文。服务器不会呈现 html,但浏览器会。所以一定不要向浏览器传递恶意 html 并在发送之前对其进行屏蔽。
Another argument to do so is that it could be possible that the attack code is assembled within the application from two ore more inputs. Each of the inputs was harmless but together they can become dangerous.
这样做的另一个论点是,攻击代码可能是在应用程序中从两个或更多输入组装而成的。每个输入都是无害的,但它们一起可能会变得危险。
