问题
I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application.
<%@ taglib prefix="s" uri="/struts-tags" %>
<form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'>
public String printApplications() throws IOException, ServletException {
request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean);
}
What would be the proper syntax to use ESAPI to encode tableBean.formName?
回答1:
Before:
<html lang="${myVar}">
The appropriate syntax would look like this:
<%@ taglib uri="/WEB-INF/tld/esapi.tld" prefix="esapi" %>
<html lang="<esapi:encodeForHTMLAttribute>${myvar}</esapi:encodeForHTMLAttribute>">
In your case, use HTMLAttribute because the value you're getting dynamically is being inserted into the "name" attribute on the tag. If it was going to be say, in a p-tag, you'd use esapi:encodeForHTML.
<p>
<esapi:encodeForHTML>${myVal}</esapi:encodeForHTML>
</p>
Also, if the value would be received by a javascript function on rendering, esapi:encodeForJavaScript.
Encoding always has a proper context, and the context is answered by the question, "What kind of interpreter will first receive this data?"
=============================================
I wasn't explicit enough. The example I provided will only escape for HTML attributes when it sounds like it's being deposited as raw HTML. The general example above has been reworked.
Using your example, try:
<form method='post' name='<s:property value=<esapi:encodeForHTMLAttribute>'tableBean.formName'<esapi:encodeForHTMLAttribute>/>' action='Notification.action'>
I'm used to JSTL syntax, so I'm not 100% sure the best way to wrap your variable here. You'll have to play with it. Alternatively, you could add a method to tableBean like tableBean.attributeEscapedFormName which would look like:
public class TableBean{
String formName;
public String htmlAttributeEscapedFormName(){
return ESAPI.encoder().escapeForHTMLAttribute( formName );
}
}
回答2:
You should read property tag reference to better understand how to use it.
Used to get the property of a value, which will default to the top of the stack if none is specified. Parameters
Dynamic Attributes Allowed: false
The default value to be used if value attribute is null
escapeCsvfalse false false Boolean Whether to escape CSV (useful to escape a value for a column)escapeHtmlfalse true false Boolean Whether to escape HTMLescapeJavaScriptfalse false false Boolean Whether to escape JavascriptescapeXmlfalse false false Boolean Whether to escape XMLvaluefalse false Object Value to be displayedExamples:
<s:push value="myBean"> <!-- Example 1: --> <s:property value="myBeanProperty" /> <!-- Example 2: -->TextUtils <s:property value="myBeanProperty" default="a default value" /> </s:push>Example 1 prints the result of myBean's getMyBeanProperty() method. Example 2 prints the result of myBean's getMyBeanProperty() method and if it is null, print 'a default value' instead.
来源:https://stackoverflow.com/questions/42910529/i-am-getting-cross-site-scripting-poor-validation-on-a-struts-call-to-a-bean-cl