admin管理员组

文章数量:1312774

I need to escape characters to avoid XSS. I am using org.apachemons.lang.StringEscapeUtils.escapeHtml(String str), which helps in the following way:

Raw input

" onmouseover=alert() src="

After escaping HTML bees

" onmouseover=alert() src="

However, there are cases in which the reflected input is trapped in single quotes, such as:

test'];}alert();if(true){//

In that particular case, escaping HTML does not have any effect. However, org.apachemons.lang.StringEscapeUtils also has a method called escapeJavascript(String str), which would convert the input into:

test\'];}alert();if(true){\/\/

The question here is, would you sanitize your input by escaping HTML first and then Javascript? The other would be to replace the single quote character with \' manually.

Any help will be greatly appreciated!

I need to escape characters to avoid XSS. I am using org.apache.mons.lang.StringEscapeUtils.escapeHtml(String str), which helps in the following way:

Raw input

" onmouseover=alert() src="

After escaping HTML bees

" onmouseover=alert() src="

However, there are cases in which the reflected input is trapped in single quotes, such as:

test'];}alert();if(true){//

In that particular case, escaping HTML does not have any effect. However, org.apache.mons.lang.StringEscapeUtils also has a method called escapeJavascript(String str), which would convert the input into:

test\'];}alert();if(true){\/\/

The question here is, would you sanitize your input by escaping HTML first and then Javascript? The other would be to replace the single quote character with \' manually.

Any help will be greatly appreciated!

  • javascript
  • java
  • xss
  • apache-stringutils
Share Improve this question asked Jun 8, 2018 at 14:34 user1532449user1532449 3424 silver badges15 bronze badges 0
Add a ment  | 

1 Answer 1

Reset to default 6

As @gabor-lengyel mentioned I should be able to escape a single quote with an html encoder.

The problem I had is that I was using org.apache.mons.lang.stringescapeutils.escapeHtml and it is not capable of escaping single quotes with the corresponding HTML entity. I am now using org.springframework.web.util.HtmlUtils.htmlEscape, which is capable of dealing with both double and single quotes.

Thank you @gabor-lengyel again for your help!

本文标签: javascriptEscaping characters to avoid XSS in JavaStack Overflow

版权声明:本文标题:javascript - Escaping characters to avoid XSS in Java - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741880633a2402724.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。