问题
I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application.
<%@ taglib prefix="s" uri="/struts-tags" %>
<form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'>
public String printApplications() throws IOException, ServletException {
request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean);
}
What would be the proper syntax to use ESAPI to encode tableBean.formName?
回答1:
Before:
<html lang="${myVar}">
The appropriate syntax would look like this:
<%@ taglib uri="/WEB-INF/tld/esapi.tld" prefix="esapi" %>
<html lang="<esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>">
In your case, use HTMLAttribute
because the value you're getting dynamically is being inserted into the "name" attribute on the tag. If it was going to be say, in a p-tag, you'd use esapi:encodeForHTML
.
<p>
<esapi:encodeForHTML>${myVal}</esapi:encodeForHTML>
</p>
Also, if the value would be received by a javascript function on rendering, esapi:encodeForJavaScript
.
Encoding always has a proper context, and the context is answered by the question, "What kind of interpreter will first receive this data?"
=============================================
I wasn't explicit enough. The example I provided will only escape for HTML attributes when it sounds like it's being deposited as raw HTML. The general example above has been reworked.
Using your example, try:
<form method='post' name='<s:property value=<esapi:encodeForHTMLAttribute>'tableBean.formName'<esapi:encodeForHTMLAttribute>/>' action='Notification.action'>
I'm used to JSTL syntax, so I'm not 100% sure the best way to wrap your variable here. You'll have to play with it. Alternatively, you could add a method to tableBean
like tableBean.attributeEscapedFormName
which would look like:
public class TableBean{
String formName;
public String htmlAttributeEscapedFormName(){
return ESAPI.encoder().escapeForHTMLAttribute( formName );
}
}
回答2:
You should read property tag reference to better understand how to use it.
Used to get the property of a value, which will default to the top of the stack if none is specified. Parameters
Dynamic Attributes Allowed: false
The default value to be used if value attribute is null
escapeCsv
false false false Boolean Whether to escape CSV (useful to escape a value for a column)escapeHtml
false true false Boolean Whether to escape HTMLescapeJavaScript
false false false Boolean Whether to escape JavascriptescapeXml
false false false Boolean Whether to escape XMLvalue
false false Object Value to be displayedExamples:
<s:push value="myBean"> <!-- Example 1: --> <s:property value="myBeanProperty" /> <!-- Example 2: -->TextUtils <s:property value="myBeanProperty" default="a default value" /> </s:push>
Example 1 prints the result of myBean's getMyBeanProperty() method. Example 2 prints the result of myBean's getMyBeanProperty() method and if it is null, print 'a default value' instead.
来源:https://stackoverflow.com/questions/42910529/i-am-getting-cross-site-scripting-poor-validation-on-a-struts-call-to-a-bean-cl