javascript 如何使用 easpi 规范化数据
How to use the Canonicalized data by easpi in javascript
我如何按照 veracode 的建议使用 Esapi 规范化数据。
out.print(ESAPI.encoder().encodeForHTML(jsonObj.toJSONString()));
现在控制台看到的数据是
{"total":1,"records":5,"rows":[{"id":"RLCP.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"534.7","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"2882","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE2882","ts":"RLCP.NS","clow":"437.5"}},{"id":"SBI.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"339.8","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"3045","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE3045","ts":"SBI.NS","clow":"278.1"}},{"id":"YESB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"948.65","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"11915","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE11915","ts":"YESB.NS","clow":"776.25"}},{"id":"BOB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"212.45","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"4668","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE4668","ts":"BOB.NS","clow":"173.85"}},{"id":"SBNK.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"128.85","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"7179","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE7179","ts":"SBNK.NS","clow":"105.45"}}]}
但它在 html 中呈现为
{"total":1,"records":5,"rows":[{"id":"RLCP.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"534.7","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"2882","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE2882","ts":"RLCP.NS","clow":"437.5"}},{"id":"SBI.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"339.8","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"3045","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE3045","ts":"SBI.NS","clow":"278.1"}},{"id":"YESB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"948.65","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"11915","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE11915","ts":"YESB.NS","clow":"776.25"}},{"id":"BOB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"212.45","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"4668","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE4668","ts":"BOB.NS","clow":"173.85"}},{"id":"SBNK.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"128.85","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"7179","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE7179","ts":"SBNK.NS","clow":"105.45"}}]}
如图所示,我的 javscript 无法理解数据并失败。我该怎么做才能解决这个问题。
您需要根据您打算如何使用数据来转换数据。在这种情况下,您拥有用于 java 脚本上下文的数据,因此您将要使用 ESAPI.encode().escapeForJavaScript() 和指向界面 here.
的链接
如果您发送要直接呈现到页面的数据,然后您将使用 ESAPI.encode().encodeForHTML()。
然而,就目前而言,即使使用 java 脚本转义也可能无法正常工作,因为您正在尝试对 整个 JSON 进行编码目的。为了使其正常工作,您需要确保为 javscript 上下文转义每个单独的数据元素。
例如,编组到此 JSON 的代码:
{
"id": "SBNK.NS",
"cell": {
"ser": "EQ",
"bdlt": 1,
"e": "NSE",
"chigh": "128.85",
"tick": "0.05",
"m": 1,
"prec": 2,
"W\/L": null,
"exch": "nse_cm",
"tk": "7179",
"action": "<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>",
"rowtoken": "NSE7179",
"ts": "SBNK.NS",
"clow": "105.45"
}
假设它的 java 代码在服务器上,您会想要这样做:
public void someControllerMethod(httpReq, httpResp){
DataObject myData = somthingFromADao.getBean();
ViewBean vBean = new vBean();
vBean.setId(encoder.escapeForJavaScript(myData.id));
Cell myCell = myData.getCell();
Cell vCell = new vCell();
vCell.setSer(encode.escapeForJavaScript(myCell.getSer()));
// ...^^^can be done as a "populate" method or some similar pattern.
//Marshall as JSON
}
您的数据集中唯一可能让您头疼的是 "action" 字段:它显然试图注入 HTML 以进行渲染。 Veracode 不会标记它,但您必须确保您也在观察 XSS 向量。那应该重新架构,这样您就不必将动态生成的代码作为数据元素传递。如今大多数 XSS 都是基于 DOM 的,因此您尽可能不希望在浏览器中编写 HTML。
我使用了 ESAPI.encode().escapeForJavaScript() 我得到了以下结果
\x7B\x22mw0\x22\x3A\x22Default\x22\x7D
现在要将其更改为我使用以下代码的 java 脚本可以理解的格式。
data="\x7B\x22mw0\x22\x3A\x22Default\x22\x7D"
decodeURIComponent(data.replace(/\x/g, '%'));
Return 是
"{"mw0":"Default"}"
我如何按照 veracode 的建议使用 Esapi 规范化数据。
out.print(ESAPI.encoder().encodeForHTML(jsonObj.toJSONString()));
现在控制台看到的数据是
{"total":1,"records":5,"rows":[{"id":"RLCP.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"534.7","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"2882","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE2882","ts":"RLCP.NS","clow":"437.5"}},{"id":"SBI.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"339.8","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"3045","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE3045","ts":"SBI.NS","clow":"278.1"}},{"id":"YESB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"948.65","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"11915","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE11915","ts":"YESB.NS","clow":"776.25"}},{"id":"BOB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"212.45","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"4668","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE4668","ts":"BOB.NS","clow":"173.85"}},{"id":"SBNK.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"128.85","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"7179","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE7179","ts":"SBNK.NS","clow":"105.45"}}]}
但它在 html 中呈现为
{"total":1,"records":5,"rows":[{"id":"RLCP.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"534.7","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"2882","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE2882","ts":"RLCP.NS","clow":"437.5"}},{"id":"SBI.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"339.8","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"3045","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE3045","ts":"SBI.NS","clow":"278.1"}},{"id":"YESB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"948.65","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"11915","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE11915","ts":"YESB.NS","clow":"776.25"}},{"id":"BOB.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"212.45","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"4668","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE4668","ts":"BOB.NS","clow":"173.85"}},{"id":"SBNK.NS","cell":{"ser":"EQ","bdlt":1,"e":"NSE","chigh":"128.85","tick":"0.05","m":1,"prec":2,"W\/L":null,"exch":"nse_cm","tk":"7179","action":"<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>","rowtoken":"NSE7179","ts":"SBNK.NS","clow":"105.45"}}]}
如图所示,我的 javscript 无法理解数据并失败。我该怎么做才能解决这个问题。
您需要根据您打算如何使用数据来转换数据。在这种情况下,您拥有用于 java 脚本上下文的数据,因此您将要使用 ESAPI.encode().escapeForJavaScript() 和指向界面 here.
如果您发送要直接呈现到页面的数据,然后您将使用 ESAPI.encode().encodeForHTML()。
然而,就目前而言,即使使用 java 脚本转义也可能无法正常工作,因为您正在尝试对 整个 JSON 进行编码目的。为了使其正常工作,您需要确保为 javscript 上下文转义每个单独的数据元素。
例如,编组到此 JSON 的代码:
{
"id": "SBNK.NS",
"cell": {
"ser": "EQ",
"bdlt": 1,
"e": "NSE",
"chigh": "128.85",
"tick": "0.05",
"m": 1,
"prec": 2,
"W\/L": null,
"exch": "nse_cm",
"tk": "7179",
"action": "<button class='button-style-s button-alt2' onclick='Buy();'>Buy<\/button><button class='button-style-s button-alt1' onclick='Sell();'>Sell<\/button>",
"rowtoken": "NSE7179",
"ts": "SBNK.NS",
"clow": "105.45"
}
假设它的 java 代码在服务器上,您会想要这样做:
public void someControllerMethod(httpReq, httpResp){
DataObject myData = somthingFromADao.getBean();
ViewBean vBean = new vBean();
vBean.setId(encoder.escapeForJavaScript(myData.id));
Cell myCell = myData.getCell();
Cell vCell = new vCell();
vCell.setSer(encode.escapeForJavaScript(myCell.getSer()));
// ...^^^can be done as a "populate" method or some similar pattern.
//Marshall as JSON
}
您的数据集中唯一可能让您头疼的是 "action" 字段:它显然试图注入 HTML 以进行渲染。 Veracode 不会标记它,但您必须确保您也在观察 XSS 向量。那应该重新架构,这样您就不必将动态生成的代码作为数据元素传递。如今大多数 XSS 都是基于 DOM 的,因此您尽可能不希望在浏览器中编写 HTML。
我使用了 ESAPI.encode().escapeForJavaScript() 我得到了以下结果
\x7B\x22mw0\x22\x3A\x22Default\x22\x7D
现在要将其更改为我使用以下代码的 java 脚本可以理解的格式。
data="\x7B\x22mw0\x22\x3A\x22Default\x22\x7D"
decodeURIComponent(data.replace(/\x/g, '%'));
Return 是
"{"mw0":"Default"}"