java 在 Play 框架中正确转义的指南
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5764679/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Guide to proper escaping in Play framework
提问by Havoc P
I'm trying to map out how the Play framework supports escaping.
我试图找出 Play 框架如何支持转义。
This is a nice page spelling out the needed functionality: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
这是一个很好的页面,说明了所需的功能:https: //www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
So I'm trying to relate that to Play template features and fully understand what Play does and doesn't do.
因此,我试图将其与 Play 模板功能联系起来,并充分了解 Play 的功能和不具备的功能。
- HTML escaping:
${}or theescape()function - Attribute escaping: I can't find a built-in solution
- JavaScript escaping: there's an
escapeJavaScript()http://www.playframework.org/documentation/1.2/javaextensions - CSS escaping: I can't find a built-in solution
- URL escaping: nothing special built-in, but usual Java solution e.g. Java equivalent to JavaScript's encodeURIComponent that produces identical output?- Update: there's urlEncode() at http://www.playframework.org/documentation/1.2/javaextensions
- HTML 转义:
${}或escape()函数 - 属性转义:我找不到内置解决方案
- JavaScript 转义:有一个
escapeJavaScript()http://www.playframework.org/documentation/1.2/javaextensions - CSS 转义:我找不到内置解决方案
- URL 转义:没有什么特别的内置,但通常的 Java 解决方案,例如Java 等效于 JavaScript 的 encodeURIComponent 产生相同的输出?- 更新:http://www.playframework.org/documentation/1.2/javaextensions 上有 urlEncode()
Another point of confusion is the support for index.json(i.e. using templates to build JSON instead of HTML). Does ${}magically switch to JavaScript escaping in a JSON document, or does it still escape HTML, so everything in a JSON template has to have an explicit escapeJavaScript()?
另一个混淆点是支持index.json(即使用模板来构建 JSON 而不是 HTML)。是否${}神奇地切换到 JSON 文档中的 JavaScript 转义,或者它仍然转义 HTML,因此 JSON 模板中的所有内容都必须具有显式escapeJavaScript()?
There's also an addSlashes() on http://www.playframework.org/documentation/1.2/javaextensions, but it doesn't seem quite right for any of the situations I can think of. (?)
http://www.playframework.org/documentation/1.2/javaextensions上还有一个 addSlashes() ,但它似乎不太适合我能想到的任何情况。(?)
It would be great to have a thorough guide on how to do all the flavors of escaping in Play. It looks to me like the answer is "roll your own" in several cases but maybe I'm missing what's included.
如果能有一份关于如何在 Play 中完成所有逃逸风格的详尽指南,那就太好了。在我看来,在几种情况下答案是“自己动手”,但也许我错过了其中的内容。
采纳答案by Robin
I've been looking into this so decided to write up my own answer based on what you already had, this OWASP cheat sheetand some experimentation of my own
我一直在研究这个,所以决定根据你已经拥有的内容、这个OWASP 备忘单和我自己的一些实验来写出我自己的答案
HTML escaping:
HTML 转义:
- ${} or the escape() function
- ${} 或 escape() 函数
Attribute escaping: (common attributes)
属性转义:(常用属性)
- This is handled in play so long as you wrap your attributes in double quotes (") and use ${}.
- For complex attributes (href/src/etc.) see JavaScript below
- Example unsafe code
<a id=${data.value} href="...">...</a><a id='${data.value}' href="...">...</a>
- This would break with this for data.value:
% href=javascript:alert('XSS')%' href=javascript:alert(window.location)
- 只要您将属性用双引号 (") 括起来并使用 ${},就会在游戏中进行处理。
- 对于复杂的属性(href/src/etc.),请参阅下面的 JavaScript
- 不安全代码示例
<a id=${data.value} href="...">...</a><a id='${data.value}' href="...">...</a>
- 对于 data.value,这将与此中断:
% href=javascript:alert('XSS')%' href=javascript:alert(window.location)
JavaScript escaping: (and complex attributes)
JavaScript 转义:(和复杂的属性)
- Use escapeJavaScript(). http://www.playframework.org/documentation/1.2/javaextensions
- Example unsafe code
<a onmouseover="x='${data.value}'; ..." href="...">...</a>
- This would break with this for data.value:
'; javascript:alert(window.location);//
- 使用escapeJavaScript()。http://www.playframework.org/documentation/1.2/javaextensions
- 不安全代码示例
<a onmouseover="x='${data.value}'; ..." href="...">...</a>
- 对于 data.value,这将与此中断:
'; javascript:alert(window.location);//
CSS escaping:
CSS 转义:
- Not sure as I've no need for this.
- I'd imagine you'd need to create your own somehow. Hopefully there is something out there to manipulate the strings for you.
- 不确定,因为我不需要这个。
- 我想你需要以某种方式创建自己的。希望有什么东西可以为您操纵字符串。
URL escaping:
网址转义:
- use urlEncode(). http://www.playframework.org/documentation/1.2/javaextensions
回答by Codemwnci
I think you are absolutely correct in your summary. Play gives you some of the solutions, but not all. However, in the two places where Play does not offer something (in the CSS and attribute), I cant actually find a need for it.
我认为你的总结是完全正确的。Play 为您提供了一些解决方案,但不是全部。但是,在 Play 没有提供的两个地方(在 CSS 和属性中),我实际上找不到它的需求。
The OWASP standard specifies that you should escape untrusted code. So, the only way you would have untrusted code in your CSS is if it is being generated dynamically. If it is being generated dynamically, then there is nothing stopping you doing so using standard Groovy templates, and therefore using ${}and escape().
OWASP 标准规定您应该转义不受信任的代码。所以,在你的 CSS 中有不受信任的代码的唯一方法是它是否是动态生成的。如果它是动态生成的,那么没有什么可以阻止您使用标准 Groovy 模板这样做,因此使用${}和escape()。
As for the attribute escaping, again, the only time you are going to need this as far as I can tell, is when you are building your view in the groovy templates, so again, you can use ${}or escape().
至于属性转义,据我所知,唯一一次需要它的时候是在 groovy 模板中构建视图时,所以同样,您可以使用${}或escape()。
