XSS Vulnerabilities and CSRF Vulnerability defense

XSS Defense:

1, as far as possible major general domain name domains under the root of the domain name to reduce the impact of the site XSS vulnerability to the main station;

2, the input of the data filter check:

public static string Htmlspecialchars (final String s) {string result = s;        result = Regexreplace ("&", "&amp;", result);        result = Regexreplace ("\", "&quot;", result);        result = Regexreplace ("<", "&lt;", result);        result = Regexreplace (">", "&gt;", result);    return result; }

Note: The CSS behavior can also be done by javascript:

<style type= "Text/css" >
#content {height:expression (alert (' Test XSS '));}
</style>

If you want to support HTML you can use this filter (attachment, open source)

Examples   {  final arraylist<attribute> span_atts = new arraylist< Attribute> ();  map<string, pattern> allowedattrvalues = new hashmap< String, pattern> ();  allowedattrvalues.put ("Color",  pattern.compile ("[0-9a-fa-f]{6}|[ 0-9A-FA-F]{3}));  allowedattrvalues.put ("Font-weight",  pattern.compile ("bold"));  Allowedattrvalues.put ("Text-align",  pattern.compile ("(center|right|justify)");  Allowedattrvalues.put ("Font-style",  pattern.compile ("italic"));  Allowedattrvalues.put (" Text-decoration ",  pattern.compile (" underline "));  allowedattrvalues.put (" Margin-left ",  Pattern.compile ("[0-9]+px"));  allowedattrvalues.put ("Text-align",  pattern.compile ("center");  Span_atts.add (New attribute ("style",  allowedattrvalues));  vallowed.put ("span",  span_atts);  }  {  final arraylist<attribute> Div_atts = new arraylist<attribute> ();  Div_atts.add (New Attribute ("class"));   Div_atts.add (New attribute ("align"));  vallowed.put ("div",  div_atts); }  *  2.  call functions like this string outhtml = hetaoblogxsshtmlfilter.filter (sourcehtmlstring); 

3, for the image upload needs to detect whether the correct picture format is pseudo format, picture server as far as possible not to open the program (java,php,.net) function or the picture format does not do program analysis; Defense CSRF:

Defending CSRF vulnerabilities on the Web application side generally uses Referer to determine the URL source of the input, or use token or use JavaScript to see the authentication code;

This article comes from "Lin Qingxuan Yang--Technology blog"