问题
I am getting veracode issue in the below line
<input type = "hidden" name = "studentName" value = "<%=viewBean.getStudName()%>">
The issue is on <%=viewBean.getStudName()%>
Here, the issue reported is "Improper Neutralization of Script-Related HTML tags in a web page(Basic XSS). I have tried the fix given in cwe.mitre.org but I could not apply it properly. Can anyone help on this how to overcome the issue?
回答1:
use
<c:out value=${viewBean.studName}/>
instead it escapes XML
回答2:
As per CWE,
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
You need to escape html, can be done if you use jstl tags as @jigar suggested.
Some info on SO about to fix the error ,
- Veracode - Improper Neutralization of Script-Related HTML tags in a Web Page (Basic XSS)
- How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?
回答3:
Include below jstl taglib in jsp
<%@ taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
and use
value="${fn:escapeXml(viewBean.getStudName())}"
If using JSTL core <c:out/>, you can use escapeXml="true" to avoid XSS.
回答4:
you need to use html encoding while printing the value . so it is giving error . so it should be encoded as value = "<%=ESAPI.encoder().encodeForHtml(viewBean.getStudName())%>">
you need to import org.owasp.esapi.ESAPI and org.owasp.esapi.Encoder.
This will surely resovlve issues ..
回答5:
<input type = "hidden" name = "studentName" value = "<%=StringEscapeUtils.escapeHtml(viewBean.getStudName())%>">
Used like this. Its working now as adviced by @Jigar Joshi and @ San Krish
来源:https://stackoverflow.com/questions/26646894/veracode-issue-in-jsp