We are trying to implement a xss fix for our jsp web application. we have used the method ESAPI.validator.getValidInput. But this will take whitelist from properties file. My question here is whether blacklist is also available in ESAPI? In our web application many speicial chars are used and some international languages are allowed as input, so finding the whilelist character is complex here. I want to know the approach is correct(using esapi.validator.getvalidate and use whitelist) or not in this case.
问问题
725 次
1 回答
1
不,不支持黑名单。根据 Validator 接口定义:
“在特定模式或字符集匹配时,实现必须采用“白名单”方法进行验证。尝试识别无效或不允许的字符的“黑名单”方法更有可能允许绕过编码或其他技巧。“
https://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Validator.html
于 2014-09-11T20:55:45.640 回答