漏洞两种情况
1.直接用request.getParameter(“参数”);去获取值 然后直接用println()输出
2.用request.setAttribute输出
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>XSS Vulnerable</title>
</head>
<body>
<form action="index.jsp" method="post">
Enter your name: <input type="text" name="name"><input type="submit">
</form>
<%
if(request.getMethod().equalsIgnoreCase("post"))
{
String name = request.getParameter("name");
if(!name.isEmpty())
{
out.println("<br>Hi "+name+". How are you?");
}
}
%>
</body>
</html>
防御方法
①引入框架的filter(即引用框架的全局过滤去处理)
②自己写定义编码转换
import org.apache.commons.lang.StringUtils;
private String htmlEncode(String content) {
content = StringUtils.replace(content, "&", "&");
content = StringUtils.replace(content, "<", "<");
content = StringUtils.replace(content, ">", ">");
content = StringUtils.replace(content, "\"", """);
content = StringUtils.replace(content, "'", "'");
content = StringUtils.replace(content, "/", "/");
return content;
}