科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - Escaping characters to avoid XSS in Java - Stack Overflow

    javascript - Escaping characters to avoid XSS in Java - Stack Overflow

    programmeradmin0浏览0评论

    I need to escape characters to avoid XSS. I am using org.apachemons.lang.StringEscapeUtils.escapeHtml(String str), which helps in the following way:

    Raw input

    " onmouseover=alert() src="

    After escaping HTML bees

    " onmouseover=alert() src="

    However, there are cases in which the reflected input is trapped in single quotes, such as:

    test'];}alert();if(true){//

    In that particular case, escaping HTML does not have any effect. However, org.apachemons.lang.StringEscapeUtils also has a method called escapeJavascript(String str), which would convert the input into:

    test\'];}alert();if(true){\/\/

    The question here is, would you sanitize your input by escaping HTML first and then Javascript? The other would be to replace the single quote character with \' manually.

    Any help will be greatly appreciated!

    I need to escape characters to avoid XSS. I am using org.apache.mons.lang.StringEscapeUtils.escapeHtml(String str), which helps in the following way:

    Raw input

    " onmouseover=alert() src="

    After escaping HTML bees

    " onmouseover=alert() src="

    However, there are cases in which the reflected input is trapped in single quotes, such as:

    test'];}alert();if(true){//

    In that particular case, escaping HTML does not have any effect. However, org.apache.mons.lang.StringEscapeUtils also has a method called escapeJavascript(String str), which would convert the input into:

    test\'];}alert();if(true){\/\/

    The question here is, would you sanitize your input by escaping HTML first and then Javascript? The other would be to replace the single quote character with \' manually.

    Any help will be greatly appreciated!

    • javascript
    • java
    • xss
    • apache-stringutils
    Share Improve this question asked Jun 8, 2018 at 14:34 user1532449user1532449 3424 silver badges15 bronze badges 0
    Add a ment  | 

    1 Answer 1

    Reset to default 6

    As @gabor-lengyel mentioned I should be able to escape a single quote with an html encoder.

    The problem I had is that I was using org.apache.mons.lang.stringescapeutils.escapeHtml and it is not capable of escaping single quotes with the corresponding HTML entity. I am now using org.springframework.web.util.HtmlUtils.htmlEscape, which is capable of dealing with both double and single quotes.

    Thank you @gabor-lengyel again for your help!

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论