Using Security Encoding Library
- Download ESAPI.jar from the ESAPI Project page, and add it to library of the project.
- Import the package in jsp page: <%@ page language=”java” import=”org.owasp.esapi.*” %>
- Add code according to the different cases:
Case #1
HTML escape before inserting untrusted data into HTML element content.
1
2
3
4
<%
String safe = ESAPI.encoder().encodeForHTML( request.getParameter(
"input"
) );
%>
<%= safe %>
Case #2
Attribute escape before inserting untrusted data into HTML common attributes.
1
2
3
4
<%
String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter(
"input"
) );
%>
'<%= safe %>'
>
Case #3
JavaScript escape before inserting untrusted data into JavaScript data values.
1
2
3
4
5
<%
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter(
"input"
) );
%>
'<%= safe %>'
)”>
Case #4
URL escape before inserting untrusted data into HTML URL parameter values.
1
2
3
4
<%
String safe = ESAPI.encoder().encodeForURL( request.getParameter(
"input"
) );
%>
'
http://www.victim-site.com?test=<%= safe %>'
>link
1
2
3
4
| <% String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); %>
<%= safe %>
|
1
2
3
4
| <% String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) ); %>
|
1
2
3
4
5
| <% String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) ); %>
|
URL escape before inserting untrusted data into HTML URL parameter values.
1
2
3
4
| <% String safe = ESAPI.encoder().encodeForURL( request.getParameter( "input" ) ); %>
|
沒有留言:
張貼留言