Web Anti-XSS attack

Common vulnerabilities in web development generally occur in these input boxes, and generally we do the client-side checksum of these input domains, but the client's checksum basically does not work, because all the client's code can be changed, To prevent the occurrence of a vulnerability or server-side verification, but the general server-side check is to verify the character you entered or the length of the number and so on. The following shows an XSS vulnerability injection, with two input boxes, names, and personal introductions in the JSP page. After we write the name and personal introduction, the background code processing is to carry out a simple forwarding, and then the information we just forwarded to a JSP page to display.

If we write on the personal introduction <script>document.location.href= ' http://www.baidu.com ' </script>, then the submission will jump to Baidu, If you jump to the Xxoo website, it's not a bad thing.

We need to transcode these special characters in the background and not execute the script when the characters are displayed again on the page.

What method to use to prevent this from happening is to replace reserved characters in HTML with character entities, for example: Replace < with &LT, replace > with &gt, and so on. Here's our code to make it perfect to prevent XSS from appearing:

protected voidDoPost (httpservletrequest req, HttpServletResponse resp)throwsservletexception, IOException {String username= Req.getparameter ("username"); String describe= Req.getparameter ("describe"); if(Username = =NULL|| describe = =NULL) {username= "AAAA"; Describe= "Helloworld<script>alert (' Hello World ');</script>"; }        //reserved characters in HTML must be replaced with character entitiesUsername =STRINGESCAPEUTILS.ESCAPEHTML4 (username); Describe=Stringescapeutils.escapehtml4 (describe); SYSTEM.OUT.PRINTLN (username+" : "+describe); Req.setattribute ("Username", username); Req.setattribute ("Describe", describe); Req.getrequestdispatcher ("/info.jsp"). Forward (req, resp); }

So that we can simply prevent the XSS Kua script attack, the Code stringescapeutils is a tool class under the Apache Common-lang Package, this tool class can also convert the reserved characters in SQL, We can also implement a program to replace the reserved words in HTML itself. Describe characters that are printed in the background have been replaced with:

Helloworld&lt;script&gt;alert (' Hello World ');&lt;/script&gt; It is not a JavaScript script to display this content in HTML.

Web Anti-XSS attack