JSP安全开发之XSS漏洞详解

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><%String path = request.getContextPath();String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <base href="<%=basePath%>"> <title>My JSP 'index.jsp' starting page</title>  <meta http-equiv="pragma" content="no-cache">  <meta http-equiv="cache-control" content="no-cache">  <meta http-equiv="expires" content="0">   <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">  <meta http-equiv="description" content="This is my page"> </head> <body> <div style="margin: 0 auto"> <%//设置编码   request.setCharacterEncoding("UTF-8");//接收用户传入值   String tmp = request.getParameter("opr");   //减速传入值是否为空   if(tmp == null){     out.print("111");   }else{     //转码     String opr = new String(tmp.getBytes("ISO-8859-1"),"utf-8");     out.print(opr);   } %>   我是内容 </div> </body></html>

import java.sql.Connection;import java.sql.DriverManager;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.SQLException;import java.sql.Statement;public class BaseDAO {  //打开连接  public Connection getConn(){    Connection conn = null;    try {      Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");      conn = DriverManager.getConnection("jdbc:sqlserver://localhost:1433;databaseName=SQLTMP","sa","sa");    } catch (ClassNotFoundException e) {      e.printStackTrace();    } catch (SQLException e) {      e.printStackTrace();    }     return conn;  }     //关闭链接的方法  public void closeAll(Connection conn,Statement stat,ResultSet rs){    try {      if(rs != null)        rs.close();      if(stat != null)        stat.close();      if(conn != null)        conn.close();           } catch (SQLException e) {      e.printStackTrace();    }  }  //重载关闭方法  public void closeAll(Connection conn,PreparedStatement pstat,ResultSet rs){    try {      if(rs != null)        rs.close();      if(pstat != null)        pstat.close();      if(conn != null)        conn.close();           } catch (SQLException e) {      e.printStackTrace();    }  }  //继续重载  public void closeAll(Connection conn,PreparedStatement pstat){    try {      if(pstat != null)        pstat.close();      if(conn != null)        conn.close();    } catch (SQLException e) {      e.printStackTrace();    }  }  //增删改的公用方法  public int upDate(String sql,Object[] pram){         PreparedStatement pstat = null;    Connection conn = null;    int a = 0;         try {      conn = getConn();      pstat =conn.prepareStatement(sql);      //遍历参数集合，将集合中的参数对应添加到sql语句中      for (int i = 1; i <= pram.length; i++) {        pstat.setObject(i, pram[i-1]);      }      //调用方法      a = pstat.executeUpdate();           } catch (SQLException e) {      e.printStackTrace();    }finally{      closeAll(conn, pstat);    }    return a;  }}  

import java.sql.*;import java.util.*;import entity.*;public class CommentDao extends BaseDAO {  /**   * 获取所有留言   * */  public List<comm> GetComment(){    //SQL语句    String sql = "SELECT CID,CName,CContext FROM Comments";    List<comm> list = new ArrayList<comm>();    //数据库连接对象    Connection conn = null;    //SQL执行对象    PreparedStatement pstmt = null;    //数据库执行返回值    ResultSet rs = null;    try {      //创建数据库链接      conn = this.getConn();      //创建SQL执行对象      pstmt = conn.prepareStatement(sql);      //执行SQL语句  返回值      rs = pstmt.executeQuery();      //读取      while (rs.next()) {        comm comment = new comm();        comment.setCID(rs.getInt("CID"));        comment.setCName(rs.getString("CName"));        comment.setCContext(rs.getString("CContext"));        list.add(comment);      }    } catch (Exception e) {      e.printStackTrace();    }finally{      //关闭      this.closeAll(conn, pstmt, rs);    }    return list;  }  public int AddComment(comm comment){    String sql = "INSERT INTO Comments VALUES(?,?)";    //受影响行数    int result = 0;      //数据库连接对象    Connection conn = null;    //SQL执行对象    PreparedStatement pstmt = null;    try {      //创建数据库链接      conn = this.getConn();      //创建SQL执行对象      pstmt = conn.prepareStatement(sql);      //设置参数      pstmt.setString(1, comment.getCName());      pstmt.setString(2, comment.getCContext());      //执行SQL语句      result = pstmt.executeUpdate();    } catch (Exception e) {      e.printStackTrace();    }finally{      this.closeAll(conn, pstmt);    }    return result;  }}

import java.io.*;import javax.servlet.*;import javax.servlet.http.*;import entity.*;public class CommentServlvet extends HttpServlet {  /**   * doGet()   */  public void doGet(HttpServletRequest request, HttpServletResponse response)      throws ServletException, IOException {    request.setCharacterEncoding("UTF-8");    response.setContentType("text/html;charset=UTF-8");    PrintWriter out = response.getWriter();    String opr = request.getParameter("opr");    CommentDao commentDao = new CommentDao();    //检索参数是否为空    if(opr == null || opr.equals("all")){      request.setAttribute("all", commentDao.GetComment());      //转发      request.getRequestDispatcher("comment.jsp").forward(request, response);    }else if (opr.equals("add")){      comm comment = new comm();      comment.setCName(request.getParameter("UName"));      comment.setCContext(request.getParameter("context"));      if(commentDao.AddComment(comment) > 0){        out.print("<script>alert('留言成功');location.href='CommentServlvet?opr=all';</script>");      }else{        out.print("<script>alert('留言失败');location.href='CommentServlvet?opr=all';</script>");      }    }else{      request.setAttribute("all", commentDao.GetComment());      //转发      request.getRequestDispatcher("comment.jsp").forward(request, response);    }    out.flush();    out.close();  }   /**   * doPost()   */  public void doPost(HttpServletRequest request, HttpServletResponse response)      throws ServletException, IOException {    doGet(request, response);  }}

<%@ page language="java" import="java.util.*,entity.*" pageEncoding="UTF-8"%><%String path = request.getContextPath();String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <base href="<%=basePath%>"> <title>My JSP 'comment.jsp' starting page</title>  <meta http-equiv="pragma" content="no-cache">  <meta http-equiv="cache-control" content="no-cache">  <meta http-equiv="expires" content="0">   <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">  <meta http-equiv="description" content="This is my page"> </head> <body> <%   request.setCharacterEncoding("UTF-8");   if(request.getAttribute("all") == null){     request.getRequestDispatcher("CommentServlvet?opr=all").forward(request, response);   } %> <table> <%   List<entity.comm> list = (List<entity.comm>)request.getAttribute("all");    for(int i = 0; i < list.size(); i++ ){ %>     <tr>     <td><%=list.get(i).getCName() %></td>     <td><%=list.get(i).getCContext() %></td>     </tr>     <%   } %> </table> <form action="CommentServlvet?opr=add" method="post">   <textarea rows="5" cols="30" name="context"></textarea>   昵称:<input type="text" name="UName" />   <input type="submit" value="提交" /> </form> </body></html>

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %><%String path = request.getContextPath();String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <base href="<%=basePath%>">  <title>My JSP 'index.jsp' starting page</title>  <meta http-equiv="pragma" content="no-cache">  <meta http-equiv="cache-control" content="no-cache">  <meta http-equiv="expires" content="0">   <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">  <meta http-equiv="description" content="This is my page"> </head> <body> <div style="margin: 0 auto"> <%   request.setCharacterEncoding("UTF-8");   String tmp = request.getParameter("opr");   //减速传入值是否为空   if(tmp == null){     out.print("111");   }else{     //转码     String opr = new String(tmp.getBytes("ISO-8859-1"),"utf-8");     request.setAttribute("name", opr);     %>     <c:out value="${requestScope.name }"></c:out>     <%   } %>   我是内容 </div> </body></html>

<%@ page language="java" import="java.util.*,entity.*" pageEncoding="UTF-8"%><%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %><%String path = request.getContextPath();String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <base href="<%=basePath%>"> <title>My JSP 'comment.jsp' starting page</title>  <meta http-equiv="pragma" content="no-cache">  <meta http-equiv="cache-control" content="no-cache">  <meta http-equiv="expires" content="0">   <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">  <meta http-equiv="description" content="This is my page"> </head> <body> <%   request.setCharacterEncoding("UTF-8");   if(request.getAttribute("all") == null){     request.getRequestDispatcher("CommentServlvet?opr=all").forward(request, response);   } %> <table><!-- 防御XSS方案 --> <c:forEach var="x" items="${requestScope.all }"> <tr>   <td>   <c:out value="${x.getCName() }"></c:out>   </td>   <td>   <c:out value="${x.getCContext() }"></c:out>   </td> </tr> </c:forEach> </table> <form action="CommentServlvet?opr=add" method="post">   <textarea rows="5" cols="30" name="context"></textarea>   昵称:<input type="text" name="UName" />   <input type="submit" value="提交" /> </form> </body></html>