In Web projects, keyword Mining usually requires disposition of Xss,sql writes to invade, dealing with this question there are two numbers Daquan ideas:
Escapes non-legal characters before data enters the database and restores illegal characters at the time of update and presentation
Escapes the non-French characters at the time of presentation
If the project is still in its infancy, it advocates the use of the second, direct use of the JSTL label can be used to dispose of illegal characters of doubt. Of course, for JavaScript also needs to be disposed of, write a method, when parsing data obtained from the server side to perform the following escapehtml ().
Attached: JavaScript method:
String.prototype.escapeHTML = function () {
Return This.replace (/&/g, ' & '). Replace (/>/g, ' > '). Replace (/}
If the project is now completed, and do not want to change the page in large quantities, can choose the top way, at this time the demand by virtue of spring MVC @initbinder and Org.apache.commons.lang.PropertyEditorSupport, Org.apache.commons.lang.StringEscapeUtils
public class Stringescapeeditor extends PropertyEditorSupport {
Private Boolean escapehtml;
Private Boolean escapejavascript;
Private Boolean escapesql;
Public Stringescapeeditor () { super ();}
Public Stringescapeeditor (Boolean escapehtml, Boolean Escapejavascript, Boolean escapesql) {
Super ();
this.escapehtml = escapehtml;
This.escapejavascript = Escapejavascript;
This.escapesql = Escapesql;
}
@Override
public void Setastext (String text) {
if (text = = null) {
SetValue (NULL);
} else {
String value = text;
if (escapehtml) {value = stringescapeutils.escapehtml (value); }
if (escapejavascript) { value = stringescapeutils.escapejavascript (value); }
if (escapesql) { value = stringescapeutils.escapesql (value); } SetValue (value); }
}
@Override
Public String Getastext () { Object value = GetValue (); return value! = null? value.tostring (): ""; }
}
The need to pay attention to the use of Stringescapeutils escapehtml and Escapejavascript method will convert Chinese characters into Unicode encoding, if the label may be displayed by El expression, can be correctly restored, However, if the use of a front-end component similar to Ext to show this part of the content, not normal recovery, which is why I abandoned the top-ranked approach, the direct use of the second method of the reason.
In the above we have made a escapeeditor, the following also will be the editor and spring controller binding, so that the server side to receive data can be active to carry special characters.
Let's register in the @controller @initbinder
@InitBinder
public void Initbinder (Webdatabinder binder) {
Binder.registercustomeditor (String.class, New Stringescapeeditor (False, False, false));
-Indexread arguments from command-line "http://www.shoudashou.com"
-Indexread arguments from command-line "http://www.4lunwen.cn"
-Indexread arguments from command-line "http://www.zx1234.cn"
-Indexread arguments from command-line "http://www.penbar.cn"
-Indexread arguments from command-line "http://www.whathappy.cn"
-Indexread arguments from command-line "Http://www.lunjin.net"
-Indexread arguments from command-line "http://www.ssstyle.cn"
-Indexread arguments from command-line "http://www.91fish.cn"
-Indexread arguments from command-line "http://www.fanselang.com"
}
This method can be placed directly into the abstract controller class, which is a gesture that each controller instance can have this method. At this point the second approach is over, but the recovery method has not yet been completed. O (∩_∩) o ...