释放双眼,带上耳机,听听看~!
准备commons-lang.jar包。code部分。 Test_xss.jsp<%@ page language="java" contentType="text/html; charset=utf-8" &
-
准备commons-lang.jar包。
-
code部分。
Test_xss.jsp
<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Java防止xss攻击</title></head><body><form action="Test.action" method="post">
字符:<input type="text" name="test"><input type="submit" value="提交"></form><%=request.getAttribute("test") %></body></html>
TestServlet.java
package servlet;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringEscapeUtils;
/**
* Servlet implementation class TestServlet
*/
@WebServlet("/Test.action")
public class TestServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#HttpServlet()
*/
public TestServlet() {
super();
// TODO Auto-generated constructor stub
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String test = StringEscapeUtils.escapeHtml3(request.getParameter("test"));
System.out.println(test);
request.setAttribute("test", test);
request.getRequestDispatcher("Test_xss.jsp").forward(request, response);
}
}
-
调用escapeHtml3方法。
StringEscapeUtils.escapeHtml3(String)
-
Run
StringEscapeUtils这个类还有很多转义格式化方法,自己发挥。
