配置ESAPI安全编码库,防止XSS跨站脚本问题
Configure ESAPI Security Encoding Library to prevent XSS Cross-site scripting issue
我正在尝试在 Web 应用程序 (Jsps) 中使用 ESAPI 进行安全编码以防止 XSS。我在 WEB-INF/lib 下添加了 esapi-2.1.0.jar 并在 JSP 中添加了以下行以编码
ESAPI.encoder().encodeForHTML(request.getParameter(""))
但是我得到如下异常
org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)
我知道问题是缺少 ESAPI.properties 文件。我是否应该将此文件与 esapi-2.1.0.jar 一起下载?我可以看到 ESAPI.properties 不在 esapi-2.1.0.jar 中。我应该创建自己的文件还是可以获得默认文件,因为我不确定其中应该包含什么?感谢任何帮助。
最近的 public 个配置文件位于 here:
如果您阅读 this file 中的 comments/code,您将了解如何处理文件位置。
您需要 esapi.properties 和 validation.properties 才能正确使用该库。
这是文档的摘录。
/**
* The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference
* implementation, resources can be put in several locations, which are searched in the following order:
* <p>
* 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
* <p>
* 2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
* You can set this on the java command line as follows (for example):
* <pre>
* java -Dorg.owasp.esapi.resources="C:\temp\resources"
* </pre>
* You may have to add this to the start-up script that starts your web server. For example, for Tomcat,
* in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the {@code -D} string above.
* <p>
* 3) Inside the {@code System.getProperty( "user.home" ) + "/.esapi"} directory (supported for backward compatibility) or
* inside the {@code System.getProperty( "user.home" ) + "/esapi"} directory.
* <p>
* 4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
* <p>
* Once the Configuration is initialized with a resource directory, you can edit it to set things like master
* keys and passwords, logging locations, error thresholds, and allowed file extensions.
* <p>
* WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Jim Manico (jim .at. manico.net) <a href="http://www.manico.net">Manico.net</a>
* @author Kevin Wall (kevin.w.wall .at. gmail.com)
*/
我正在尝试在 Web 应用程序 (Jsps) 中使用 ESAPI 进行安全编码以防止 XSS。我在 WEB-INF/lib 下添加了 esapi-2.1.0.jar 并在 JSP 中添加了以下行以编码
ESAPI.encoder().encodeForHTML(request.getParameter(""))
但是我得到如下异常
org.owasp.esapi.errors.ConfigurationException: ESAPI.properties could not be loaded by any means. Fail.
org.owasp.esapi.reference.DefaultSecurityConfiguration.loadConfiguration(DefaultSecurityConfiguration.java:439)
我知道问题是缺少 ESAPI.properties 文件。我是否应该将此文件与 esapi-2.1.0.jar 一起下载?我可以看到 ESAPI.properties 不在 esapi-2.1.0.jar 中。我应该创建自己的文件还是可以获得默认文件,因为我不确定其中应该包含什么?感谢任何帮助。
最近的 public 个配置文件位于 here:
如果您阅读 this file 中的 comments/code,您将了解如何处理文件位置。
您需要 esapi.properties 和 validation.properties 才能正确使用该库。
这是文档的摘录。
/**
* The reference {@code SecurityConfiguration} manages all the settings used by the ESAPI in a single place. In this reference
* implementation, resources can be put in several locations, which are searched in the following order:
* <p>
* 1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).
* <p>
* 2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
* You can set this on the java command line as follows (for example):
* <pre>
* java -Dorg.owasp.esapi.resources="C:\temp\resources"
* </pre>
* You may have to add this to the start-up script that starts your web server. For example, for Tomcat,
* in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the {@code -D} string above.
* <p>
* 3) Inside the {@code System.getProperty( "user.home" ) + "/.esapi"} directory (supported for backward compatibility) or
* inside the {@code System.getProperty( "user.home" ) + "/esapi"} directory.
* <p>
* 4) The first ".esapi" or "esapi" directory on the classpath. (The former for backward compatibility.)
* <p>
* Once the Configuration is initialized with a resource directory, you can edit it to set things like master
* keys and passwords, logging locations, error thresholds, and allowed file extensions.
* <p>
* WARNING: Do not forget to update ESAPI.properties to change the master key and other security critical settings.
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @author Jim Manico (jim .at. manico.net) <a href="http://www.manico.net">Manico.net</a>
* @author Kevin Wall (kevin.w.wall .at. gmail.com)
*/