如何在javascript中使用easpi的规范化数据
提问于 2015-02-01 22:04:08
如何按照veracode的建议使用Esapi对数据进行规范化。
out.print(ESAPI.encoder().encodeForHTML(jsonObj.toJSONString()));现在控制台中看到的数据是
{"total":1,"records":5,"rows":[{"id":"RLCP.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"534.7","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"2882","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE2882","ts":"RLCP.NS","clow":"437.5"}},{"id":"SBI.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"339.8","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"3045","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE3045","ts":"SBI.NS","clow":"278.1"}},{"id":"YESB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"948.65","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"11915","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE11915","ts":"YESB.NS","clow":"776.25"}},{"id":"BOB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"212.45","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"4668","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE4668","ts":"BOB.NS","clow":"173.85"}},{"id":"SBNK.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"128.85","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"7179","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE7179","ts":"SBNK.NS","clow":"105.45"}}]}但它在html中呈现为
{"total":1,"records":5,"rows":[{"id":"RLCP.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"534.7","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"2882","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE2882","ts":"RLCP.NS","clow":"437.5"}},{"id":"SBI.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"339.8","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"3045","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE3045","ts":"SBI.NS","clow":"278.1"}},{"id":"YESB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"948.65","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"11915","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE11915","ts":"YESB.NS","clow":"776.25"}},{"id":"BOB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"212.45","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"4668","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE4668","ts":"BOB.NS","clow":"173.85"}},{"id":"SBNK.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"128.85","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"7179","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE7179","ts":"SBNK.NS","clow":"105.45"}}]}如图所示,我的javscript无法理解数据,并且失败了。我能做些什么来解决这个问题。
回答 2
Stack Overflow用户
回答已采纳
发布于 2015-02-03 04:20:55
我使用了ESAPI.encode().escapeForJavaScript(),得到了以下结果
\x7B\x22mw0\x22\x3A\x22Default\x22\x7D现在,要将其更改为我使用的java脚本可以理解的格式,请参见下面的代码。
data="\x7B\x22mw0\x22\x3A\x22Default\x22\x7D"
decodeURIComponent(data.replace(/\\x/g, '%'));回报是
"{"mw0":"Default"}"Stack Overflow用户
发布于 2015-02-02 06:24:13
您需要根据打算如何使用数据来转换您的数据。在本例中,您有用于javascript上下文的数据,因此您需要使用带有指向接口ESAPI.encode().escapeForJavaScript()的链接的这里。
如果要发送要直接呈现到页面的数据,则需要使用ESAPI.encode().encodeForHTML()。
然而,就目前情况而言,即使使用javascript转义也可能无法工作,因为您试图对整个JSON对象进行编码。要使其正常工作,您需要确保每个单独的数据元素都是针对javscript上下文转义的。
例如,被封送到此JSON的代码:
{
"id": "SBNK.NS",
"cell": {
"ser": "EQ",
"bdlt": 1,
"e": "NSE",
"chigh": "128.85",
"tick": "0.05",
"m": 1,
"prec": 2,
"W\/L": null,
"exch": "nse_cm",
"tk": "7179",
"action": "<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>",
"rowtoken": "NSE7179",
"ts": "SBNK.NS",
"clow": "105.45"
}假设服务器上有它的java代码,您可能希望这样做:
public void someControllerMethod(httpReq, httpResp){
DataObject myData = somthingFromADao.getBean();
ViewBean vBean = new vBean();
vBean.setId(encoder.escapeForJavaScript(myData.id));
Cell myCell = myData.getCell();
Cell vCell = new vCell();
vCell.setSer(encode.escapeForJavaScript(myCell.getSer()));
// ...^^^can be done as a "populate" method or some similar pattern.
//Marshall as JSON
}数据集中唯一可能让您感到头疼的是"action“字段:它显然试图注入要呈现的HTML。Veracode不会标记它,但是您必须确保您也在监视XSS的向量。应该重新架构,这样您就不必将动态生成的代码作为数据元素传递。现在大多数XSS都是基于DOM的,所以您不希望在浏览器中编写HTML。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/28271938
复制相关文章
腾讯云开发者
