我在测试自己网站http://www.xxx.com/">alert(55) 敲这样一个链接会弹窗 查询了一下应该是存在XSS漏洞吧 求大神告知该如何修复呢
6条回答 默认 最新
fengqingyuebai19 2018-01-17 02:21关注配起来有点麻烦,大概就下面的思路,你在网上找找吧
[#escape x as htmlEnc(x)]
[/#escape]public class HtmlEncFunction implements TemplateMethodModel { private static final String EMPTY = ""; /** * * 特殊字符转义. * * @see freemarker.template.TemplateMethodModel#exec(java.util.List) */ @Override public Object exec(List arguments) throws TemplateModelException { String result = EMPTY; if (CollectionUtils.isNotEmpty(arguments)) { Object param = arguments.get(0); if (param instanceof String) { result = (String) param; if (StringUtils.isNotBlank(result)) { result = ESAPI.encoder().encodeForHTML(result); } } } return result; } public static String cleanXSS(String value) { if (StringUtils.isNotBlank(value)){ value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", ")"); value = value.replaceAll("'", "& #39;"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("script", ""); } return value; } }解决 无用评论 打赏举报
分享