I am getting Cross-Site Scripting: Poor Validation on a struts call to a bean class

放肆的年华 提交于 2020-01-07 03:19:07

问题


I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application.

<%@ taglib prefix="s" uri="/struts-tags" %>
<form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'>
public String printApplications() throws IOException, ServletException {
    request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean);
}

What would be the proper syntax to use ESAPI to encode tableBean.formName?


回答1:


Before:

<html lang="${myVar}">

The appropriate syntax would look like this:

<%@ taglib uri="/WEB-INF/tld/esapi.tld" prefix="esapi" %>
<html lang="<esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>">

In your case, use HTMLAttribute because the value you're getting dynamically is being inserted into the "name" attribute on the tag. If it was going to be say, in a p-tag, you'd use esapi:encodeForHTML.

<p>
<esapi:encodeForHTML>${myVal}</esapi:encodeForHTML>
</p>

Also, if the value would be received by a javascript function on rendering, esapi:encodeForJavaScript.

Encoding always has a proper context, and the context is answered by the question, "What kind of interpreter will first receive this data?"

=============================================

I wasn't explicit enough. The example I provided will only escape for HTML attributes when it sounds like it's being deposited as raw HTML. The general example above has been reworked.

Using your example, try:

<form method='post' name='<s:property value=<esapi:encodeForHTMLAttribute>'tableBean.formName'<esapi:encodeForHTMLAttribute>/>' action='Notification.action'>

I'm used to JSTL syntax, so I'm not 100% sure the best way to wrap your variable here. You'll have to play with it. Alternatively, you could add a method to tableBean like tableBean.attributeEscapedFormName which would look like:

public class TableBean{
    String formName;
    public String htmlAttributeEscapedFormName(){
        return ESAPI.encoder().escapeForHTMLAttribute( formName );
    }
}



回答2:


You should read property tag reference to better understand how to use it.

Used to get the property of a value, which will default to the top of the stack if none is specified. Parameters

Dynamic Attributes Allowed: false

The default value to be used if value attribute is null

  • escapeCsv false false false Boolean Whether to escape CSV (useful to escape a value for a column)
  • escapeHtml false true false Boolean Whether to escape HTML
  • escapeJavaScript false false false Boolean Whether to escape Javascript
  • escapeXml false false false Boolean Whether to escape XML
  • value false false Object Value to be displayed

Examples:

<s:push value="myBean">

 <!-- Example 1: -->
 <s:property value="myBeanProperty" />

 <!-- Example 2: -->TextUtils
 <s:property value="myBeanProperty" default="a default value" /> 
</s:push> 

Example 1 prints the result of myBean's getMyBeanProperty() method. Example 2 prints the result of myBean's getMyBeanProperty() method and if it is null, print 'a default value' instead.



来源:https://stackoverflow.com/questions/42910529/i-am-getting-cross-site-scripting-poor-validation-on-a-struts-call-to-a-bean-cl

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!