Using Security Encoding Library
- Download ESAPI.jar from the ESAPI Project page, and add it to library of the project.
- Import the package in jsp page: <%@ page language=”java” import=”org.owasp.esapi.*” %>
- Add code according to the different cases:
Case #1
HTML escape before inserting untrusted data into HTML element content.
1
2
3
4
<%
String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );
%>
<%= safe %>
Case #2
Attribute escape before inserting untrusted data into HTML common attributes.
1
2
3
4
<%
String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );
%>
'<%= safe %>'>
Case #3
JavaScript escape before inserting untrusted data into JavaScript data values.
1
2
3
4
5
<%
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
%>
'<%= safe %>')”>
Case #4
URL escape before inserting untrusted data into HTML URL parameter values.
1
2
3
4
<%
String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );
%>
'http://www.victim-site.com?test=<%= safe %>'>link
1
2
3
4
| <%String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );%><%= safe %>
|
1
2
3
4
| <%String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );%>
|
1
2
3
4
5
| <%String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );%> |
URL escape before inserting untrusted data into HTML URL parameter values.
1
2
3
4
| <%String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) );%> |
沒有留言:
張貼留言