protect jsp pages againt xss

2019-03-22 04:19发布

问题:

i want to protect my website form xss, and i want to assure that all my data are correct and consistent, so i don't want to allow to add any scripts to my db, that's because my data may be used by other web services , so i want to be sure that my data is correct and will not cause any problems to others.

I want to make validation only in the input of the data , not at the output, hence i will make the validation only once, and also i will be sure that no scripts exist in my db .

EDIT: please check the last comment I added.

回答1:

Use some Filter to sanitize HTTP request data.

You may go for jsoup, it is very handy:

String unsafe = "<p><a href='http://example.com/' onclick='stealCookies()'>Link</a></p>";
String safe = Jsoup.clean(unsafe, Whitelist.basic());
// now: <p><a href="http://example.com/" rel="nofollow">Link</a></p>

Ref: http://jsoup.org/cookbook/cleaning-html/whitelist-sanitizer



回答2:

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet



回答3:

In short, you can write filter which does proper escaping of User input(map to relevant URL mapping). There could be readily available plugin to do this but I am not aware.
You can refer to this thread XSS prevention in JSP/Servlet web application