Java ESAPI 中的编码器和规范化
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22491650/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Encoder and canonicalize in ESAPI
提问by rickygrimes
I understand what ESAPI is used for, but I see these two lines repeated in a lot of ESAPI examples. Can someone please explain what exactly this does?
我了解 ESAPI 的用途,但我看到很多 ESAPI 示例中重复了这两行。有人可以解释一下这到底是做什么的吗?
ESAPI.encoder().canonicalize(inputUrl,false,false);
采纳答案by XiaoChuan Yu
See the docs:
查看文档:
Canonicalization is simply the operation of reducing a possibly encoded string down to its simplest form. This is important, because attackers frequently use encoding to change their input in a way that will bypass validation filters, but still be interpreted properly by the target of the attack. Note that data encoded more than once is not something that a normal user would generate and should be regarded as an attack.
规范化只是将可能编码的字符串减少到其最简单形式的操作。这很重要,因为攻击者经常使用编码以绕过验证过滤器的方式更改他们的输入,但仍能被攻击目标正确解释。请注意,多次编码的数据不是普通用户会生成的,应视为攻击。
The two additional parameters which are set to false in your example indicate whether or not to restrict multiple encoding and mixed encoding (see docs for meaning), respectively.
在您的示例中设置为 false 的两个附加参数分别指示是否限制多重编码和混合编码(有关含义,请参阅文档)。
