如果有人利用js 注入。可以做很多可怕的事,一个有经验的程序员不得不防呀!
方式一 直接在js里把符号转义就可以了,简单实用!
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
<script type="text/javascript"
src="${pageContext.request.contextPath}/res/js/jquery-1.8.0.min.js"></script>
</head>
<body>
<h2>登陆成功</h2>
<textarea rows="10" cols="20" id="xxx"></textarea>
<input id="testc" type="button" value="注入js">
<input id="testc2" type="button" value="干掉注入">
<script type="text/javascript">
$("#testc").click(function(){
$.post("${pageContext.request.contextPath}/user/gethh.htm",{"param":"<script>alert('注入成功!');<\/script>"},
function(data){
//unescape(data.usrename);
$("#xxx").html(unescape(data.usrename));
});
});
$("#testc2").click(function(){
$.post("${pageContext.request.contextPath}/user/gethh.htm",{"param":"<script>alert('注入成功!');<\/script>"},
function(data){
var newHtml=data.usrename.replace("<","<").replace(">",">").replace("\"",""").replace("'","'");
$("#xxx").html(newHtml);
});
});
</script>
</body>
</html>
直接上代码吧!
public User gethh(String param) 我是用这个方法做的测试。。。。
package org.rui.mvc.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.rui.bean.User;
import org.rui.user.service.IUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
@RequestMapping("user")
public class UserController extends BaseController
{
Log log = LogFactory.getLog(this.getClass());
@Autowired
IUserService userService;
@RequestMapping("userLogin")
public String UserLogin(HttpServletRequest req, HttpServletResponse res,
ModelMap map, User user)
{
// User user=new User("admin","admin");
log.info("--------userLogin execute--------");
User u = userService.userLong(user);
if (u != null) {
System.out.println(u.getUsrename() + ":" + u.getPassword());
// System.out.println(param);
map.put("testin", "<script>alert('注入成功!');</script>");
System.out.println(map.get("testin"));
return "success";
} else {
log.debug("user login fail=====================");
return "fail";
}
}
@RequestMapping("gethh")
@ResponseBody
public User gethh(String param)
{
User u = new User();
u.setUsrename(param);
//u.setUsrename("<script>alert('注入成功!');</script>");
return u;
}
}
package org.rui.mvc.controller;
import org.rui.util.editor.StringEscapeEditor;
import org.springframework.validation.DataBinder;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.InitBinder;
public class BaseController
{
// @InitBinder
// public void initBinder(DataBinder binder)
// {
// //binder.setValidator(new UserValidator());
// }
@InitBinder
public void webInitBinder(WebDataBinder binder){
System.out.println("webInitBinder:"+binder.getAllowedFields());
binder.registerCustomEditor(String.class, new StringEscapeEditor(false, true, false));
}
}
package org.rui.util.editor;
import java.beans.PropertyEditorSupport;
import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.web.util.HtmlUtils;
import org.springframework.web.util.JavaScriptUtils;
/**
* 在使用StringEscapeUtils时需要注意escapeHtml和escapeJavascript方法会把中文字符转换成Unicode编码,
* @author lenovo
*
*/
public class StringEscapeEditor extends PropertyEditorSupport
{
private boolean escapeHTML;
private boolean escapeJavaScript;
private boolean escapeSQL;
public StringEscapeEditor()
{
super();
}
public StringEscapeEditor(boolean escapeHTML, boolean escapeJavaScript,
boolean escapeSQL)
{
super();
this.escapeHTML = escapeHTML;
this.escapeJavaScript = escapeJavaScript;
this.escapeSQL = escapeSQL;
}
@Override
public void setAsText(String text)
{
if (text == null) {
setValue(null);
} else {
String value = text;
System.out.println("value:" + value);
if (escapeHTML) {
value = StringEscapeUtils.escapeHtml(value);
System.out.println("escapeHTMLvalue:" + value);
}
if (escapeJavaScript) {
//value = StringEscapeUtils.escapeJavaScript(value); 奶奶的,乱码 有个屁用 ,自已改了个
value=JavaScriptEscapeUtils.javaScriptEscape(value);
System.out.println("escapeJavaScriptvalue:" + value);
}
if (escapeSQL) {
value = StringEscapeUtils.escapeSql(value);
System.out.println("escapeSQLvalue:" + value);
}
System.out.println("end value:" + value);
setValue(value);
}
}
@Override
public String getAsText()
{
Object value = getValue();
return value != null ? value.toString() : "";
}
public static void main(String[] args)
{
String resul = StringEscapeUtils.escapeJavaScript("<script>alert('ok 注入成功!');<\\/script>");
System.out.println(resul);
String a = "<html>吃饭</html>";
System.out.println(StringEscapeUtils.escapeHtml(a));
System.out.println(StringEscapeUtils.unescapeHtml(StringEscapeUtils.escapeHtml(a)));
System.out.println(HtmlUtils.htmlEscape(a));
System.out.println(HtmlUtils.htmlUnescape(HtmlUtils.htmlEscape(a)));
String scr="<script>alert('ok 注入成功!');<\\/script>";
System.out.println(JavaScriptEscapeUtils.javaScriptEscape(scr));
}
}
package org.rui.util.editor;
public class JavaScriptEscapeUtils
{
/**
* Turn JavaScript special characters into escaped characters.
*
* @param input
* the input string
* @return the string with escaped characters
*/
public static String javaScriptEscape(String input)
{
if (input == null) {
return input;
}
StringBuilder filtered = new StringBuilder(input.length());
//char prevChar = ' ';
char c;
for (int i = 0; i < input.length(); i++) {
c = input.charAt(i);
if (c == '"') {
filtered.append(""");
} else if (c == '\'') {
filtered.append("'");
}
// } else if (c == '\\') {
// filtered.append("\\\\");
// } else if (c == '/') {
// filtered.append("\\/");
// } else if (c == '\t') {
// filtered.append("\\t");
// } else if (c == '\n') {
// if (prevChar != '\r') {
// filtered.append("\\n");
// }
// } else if (c == '\r') {
// filtered.append("\\n");
// } else if (c == '\f') {
// filtered.append("\\f");
// } else if (c == '\b') {
// filtered.append("\\b");
// }
// No '\v' in Java, use octal value for VT ascii char
// else if (c == '\013') {
// filtered.append("\\v");
// }
else if (c == '<') {
filtered.append("<");
} else if (c == '>') {
filtered.append(">");
}
// Unicode for PS (line terminator in ECMA-262)
// else if (c == '\u2028') {
// filtered.append("\\u2028");
// }
// Unicode for LS (line terminator in ECMA-262)
// else if (c == '\u2029') {
// filtered.append("\\u2029");
// }
else {
filtered.append(c);
}
// prevChar = c;
}
return filtered.toString();
}
public static void main(String[] args)
{
System.out.println("\u0000");
}
}