问题
We need to add anti-XSS support in our Struts application. Most specifically the architect requires that all user input must be "sanitized" before storing in DB. As I don't want to reinvent the square wheel, which Java library can I use for this ? And where to put it ? Ideally it should be configurable (which input fields to check, not all of them in request) and fast. My first thought is Struts Validator.
Thanks in advance Lluis
回答1:
I recommend you look into OWASP's ESAPI project. It has been under development for over a year, and is approaching its 2.0 release.
For escaping values stored in the database, check out the Encoder.encodeForSQL() method (reference implementation).
For input validation, check out the Validator (reference implementation).
Note: my understanding is that the functionality provided by older projects such as Stinger and CSRFGuard is being included in ESAPI.
回答2:
If you seach google for XSS Java Filter, you'll come up with many open source solutions, such as this one.
You could also look at the OWASP validation project.
来源:https://stackoverflow.com/questions/825638/how-to-prevent-xss-vulnerability-with-struts