1. 技术文章
  2. How to escape-html in JSP before saving to database?

How to escape-html in JSP before saving to database?

你离开我真会死。 提交于 2019-12-14 03:43:17

问题


I am learning JSP and Java at the moment and wrote a (very) simple guestbook to get started with JSP. But i want to ensure that noone can use CSS, so i need to strip the HTML code before saving it to my mySQL database. I already searched here and found the " 

  PreparedStatement pStmt = conn.prepareStatement("INSERT INTO test VALUES (ID, ?, ?)");

  pStmt.setString(1, request.getParameter("sender"));
  pStmt.setString(2, request.getParameter("text"));
  pStmt.executeUpdate();

So what would be the proper way to do this ?


回答1:


Short answer: have a look at org.apache.commons.lang.StringEscapeUtils.escapeHtml().

More detailed answer: Escaping HTML is the job of the presentation code, not the database code. What if for some reason, you want to display you data at some point in a non-web environment, such as a classic GUI? You will have to unescape the whole thing, otherwise it will display total garbage.

Just save the data as it is and make sure you escape everything you get from the user right before you display it (ok, maybe not numbers stored as numbers, but you get the idea).

If you're using AJAX, you can take this even further and only escape your strings in JavaScript (or use innerText).




回答2:


The usual practice is the other way around. We save whatever is in the textarea, and use escapeXML attribute of a <c:out> tag when showing it. This way everything CSS, HTML tags all will be treated as simple text.




回答3:


You can also use JSTL function: fn:escapeXml().

 <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
 ...   
 <input type="hidden" name="htmlCode" value="${fn:escapeXml(htmlCode)}"/>



回答4:


You need to escape the HTML for security purposes, e.g. to prevent things like Cross Site Scripting attacks (XSS).

Search for Cross site scripting on Google/Stack Overflow for more details.

There will be several open source Servet Filters which will do this for you.

e.g. see here for an explanation




回答5:


You can also use JSTL core library.

c:out has escapeXml on as default.

Examples:

<c:out value="${tp.title}" />

<c:out value="${product.listPrice}" escapeXml="false" /> //if you want turn off

This approach let you do escaping in presentation layer as other people recommended.



来源:https://stackoverflow.com/questions/792974/how-to-escape-html-in-jsp-before-saving-to-database

标签
java
database
jsp
escaping
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!