谁知道,求大神帮下忙.先谢谢了
你的意思是说在界面上想是Html代码,这个是完全可以处理的,只需要将那些"<",">"等符号转义就不会被执行,可以使用struts标签库输出,也可是替换这些特殊符号
实例:
String OutStr = "alert('XSS')";
OutStr = OutStr.replaceAll("&","&");
OutStr = OutStr.replaceAll("<","<");
OutStr = OutStr.replaceAll(">",">");
OutStr = OutStr.replaceAll("\"",""");
OutStr = OutStr.replaceAll("\'","'");
OutStr = OutStr.replaceAll("\(","(");
OutStr = OutStr.replaceAll("\)",")");
OutStr = OutStr.replaceAll("%","%");
OutStr = OutStr.replaceAll("\+","+");
OutStr = OutStr.replaceAll("-","-");
out.println(OutStr);
写一个Filter,对产生跨站的关键字进行过滤
是不是用hp那个安全检测工具查出来的,不要单独使用EL表达式,如果需要输出尽量用标签库
antisamy插件防止XSS跨站脚本攻击,很简单,很方便,建议参考[url]http://blog.sina.com.cn/s/blog_47d78bed0100wnrs.html[/url]这个进行学习