Shulou(Shulou.com)06/02 Report--

In this article, the editor introduces in detail "how to deal with cross-site scripting attacks by HTML". The content is detailed, the steps are clear, and the details are handled properly. I hope this article "how to deal with cross-site scripting attacks by HTML" can help you solve your doubts.

Cross-site scripting attack (XSS) is one of the most common vulnerabilities in website creation. The principle is very simple, that is, the user enters some code that causes the browser to execute some scripts to achieve the purpose of the attack.

These offensive codes usually use "

To achieve the purpose of the attack.

For example, what you search for is: ${question}, where ${question} is the content entered by the user.

If the user enters alert (1);, the page executes the script code.

Or your search content is, if the user enters "onclick=alert (1);"

The final page for your search content is escaped to & apos

To prevent these attacks.

FreeMarker HTML escape: ${username?html}.

As in the above example, the content entered by the user should not be output directly on the page, but should be escaped before output. Such as:

The content of your search is: ${question?html}

Your search content is

Cross-site scripting attacks (XSS) are ubiquitous, and each variable needs to be carefully escaped with escape code, which is easy to miss. FreeMarker provides a way to escape the entire page at once.

Escape (escape tag)

To avoid cross-site scripting attacks (XSS), HTML escapes the output, such as ${foo?html}. But all variables have to do this escape is not only troublesome, but also easy to forget. In addition, FreeMarker null value handling is also troublesome and easy to forget, such as ${foo!}, ${(user.username)!}.

Using excape tags can solve this problem very well.

[# escape x as (x)!? html]... ${user.username}... [/ # escape]

As long as the code contained in this tag is equivalent to ${(foo.bar)!? html}, for example, ${user.username} is equivalent to ${(user.username)!? html}. It includes both null value handling and HTML escape processing.

Noescape (do not escape tags)

You can use the noescape tag when there are objects within the escape tag that do not need to be escaped.

[# escape x as (x)!? html]... [# noescape] ${text} [/ # noescape]... [/ # escape]

Note: you must add escape code to all pages, including the include file. For example, page A with escape escape code does not mean that the page can rest easy, if page A contains page B with include tags, and page B does not add escape escape code, there is still a risk of cross-site scripting attack (XSS). The escape escape code should also be added to page B. The most common is the paging template page.html and prompt page template sys_operation_***.html without escape code, paging templates may be included in many pages.

I added escape code, but the detection software still reported XSS vulnerabilities. At this point, you should look at the detailed report information to see which page and which line of code has a XSS vulnerability, and then HTML escape for that code. All XSS vulnerabilities must rely on what was said earlier.

And other special characters, and HTML escape can certainly deal with this problem. There are no ghostly XSS vulnerabilities, no "I don't know where there are XSS vulnerabilities, but there are."

After reading this, the article "how to deal with cross-site scripting attacks by HTML" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself to understand it. If you want to know more about related articles, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.