如何最好地清理 Java webapp 中的输入
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/761588/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How best to sanitize input in Java webapp
提问by
We use jsp, servlets, beans with mysql database. We don't want to restrict the characters entered by users on form fields. So how do I sanitize the input and how to make sure the output is not changed for malicious activities. Is there way while sending the output I could check if extra code has been sent. Like suppose there is search input field -- the user gives something like <script>alert("I am here")</script>. Is there anway I could know this is a html tag. If the user appends an extra parameter to a link field, is there like a before and after check I could do for the document to realize there has been a extra link field.
我们使用jsp、servlets、beans 和mysql 数据库。我们不想限制用户在表单域中输入的字符。那么我如何清理输入以及如何确保输出不会因恶意活动而改变。有没有办法在发送输出时检查是否发送了额外的代码。就像假设有搜索输入字段一样 - 用户给出类似<script>alert("I am here")</script>. 有没有办法我可以知道这是一个 html 标签。如果用户将额外的参数附加到链接字段,是否有前后检查我可以为文档做的事情,以实现有一个额外的链接字段。
回答by araqnid
You should always do basic HTML-escaping of data taken from sources like user input or the database that might contain invalid characters. The <c:out>JSP tag does this, for example. That way if the user enters "<script> ..."in a field and you are printing it back again, it will be printed to the HTML as "<script> ...".
您应该始终对从用户输入或可能包含无效字符的数据库等来源获取的数据进行基本的 HTML 转义。例如,<c:out>JSP 标记就是这样做的。这样,如果用户输入"<script> ..."一个字段并且您再次将其打印回来,它将以 .html 格式打印到 HTML 中"<script> ..."。
回答by Kaitsu
You really should allow users to input as little HTML and/or javascript as possible. One good solution to validating and sanitizing this stuff is to use a ready-made library like OWASP AntiSamy.
您确实应该允许用户输入尽可能少的 HTML 和/或 javascript。验证和清理这些东西的一个很好的解决方案是使用现成的库,如OWASP AntiSamy。
Also, take a look at OWASP Enterprise Security APIfor a collection of security methods that a developer needs to build a secure web application.
此外,请查看OWASP Enterprise Security API,了解开发人员构建安全 Web 应用程序所需的一组安全方法。
回答by superkelvint
Give jsoupa go to help you out with this. Whatever you do, don't try to hack this up using regex or something, because then you'll have 2 problems. :-)
给jsoup一去,以帮助您与此。无论你做什么,都不要尝试使用正则表达式或其他东西来破解它,因为那样你会遇到两个问题。:-)
With jsoup, all you need is a short snippet of code:
使用jsoup,您只需要一小段代码:
String safe = Jsoup.clean(unsafe, Whitelist.basic());
You can add tags and attributes to Whitelistfairly easily, though I found it doesn't support namespace tags.
您可以Whitelist相当轻松地添加标签和属性,但我发现它不支持命名空间标签。
