[LIB] ESAPI 로 XSS 방어

IT/언어

[LIB] ESAPI 로 XSS 방어

으어오오옹 2014. 5. 30. 16:29

참고 : http://airlee00.blogspot.kr/2013/11/esapi-xss-sql-injection.html

esapi-2.1.0.jar

소스코드 일부

1
2
3
4
5
6
7
8
9
10
11
12
13
// board.content 에 <script>alert("1");<script> 저장
public Board setBoard(Board board, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException{
    try{
        board.setName(request.getParameter("name"));
        board.setPassword(request.getParameter("password"));
        board.setTitle(request.getParameter("title"));
//        board.setContent(request.getParameter("content")); // 필터 없이 그대로 저장
        board.setContent(ESAPI.encoder().encodeForHTML(request.getParameter("content"))); // <. >, ", (,),/ 필터링 후 저장
    }catch(NullPointerException e){
        error("Null 값이 있습니다.", request, response);
    }
    return board;
}
Colored by Color Scripter
cs

ESAPI.properties

1
2
3
4
5
Authenticator.UsernameParameterName=userName
Authenticator.PasswordParameterName=password
ESAPI.Authenticator=com.esapi.authenticator.CustomAuthenticator
Authenticator.IdleTimeoutDuration=100000
Authenticator.AbsoluteTimeoutDuration=100000
cs