jsp页面高危漏洞的解决办法

阅读更多

<%@ page language="java" import="java.util.*,java.lang.*"
	pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
<%@ taglib prefix="sql" uri="http://java.sun.com/jstl/sql_rt"%>
<%@taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt"%>

 
  
  
  
  
  

 

 
  
 

注入漏洞：

http://wap.51bi.com/wap/search/searchindex.jsp?page=1&sword=";alert('hacker');"

 

解决办法：

<%@ page language="java" import="java.util.*,java.lang.*"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt"%>
<%@ taglib prefix="sql" uri="http://java.sun.com/jstl/sql_rt"%>
<%@taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt"%>
<%
String sword = request.getParameter("sword");
    sword = sword.replace('<', ' ');
    sword = sword.replace('>', ' ');
    sword = sword.replace('"', ' ');
    sword = sword.replace('\'', ' ');
    sword = sword.replace('/', ' ');
    sword = sword.replace('%', ' ');
    sword = sword.replace(';', ' ');
    sword = sword.replace('(', ' ');
    sword = sword.replace(')', ' ');
    sword = sword.replace('&', ' ');
    sword = sword.replace('+', '_');
%>

 
 
 
 
 
 

 

 
 
 

 

参考方案：

http://knowledge.twisc.ntust.edu.tw/doku.php?id=3%E4%BC%BA%E6%9C%8D%E7%AB%AF%E5%AE%89%E5%85%A8:3-3%E5%AE%89%E5%85%A8%E7%A8%8B%E5%BC%8F%E7%A2%BC%E5%AF%AB%E4%BD%9C:jsp%E9%81%BF%E5%85%8Dxss%E6%96%B9%E6%B3%95