pyzheng
- 浏览: 3365248 次
- 性别:
- 来自: 珠海
-
文章分类
- 全部博客 (1633)
- Java (250)
- Android&HTML5 (111)
- Struts (10)
- Spring (236)
- Hibernate&MyBatis (115)
- SSH (49)
- jQuery插件收集 (55)
- Javascript (145)
- PHP (77)
- REST&WebService (18)
- BIRT (27)
- .NET (7)
- Database (105)
- 设计模式 (16)
- 自动化和测试 (19)
- Maven&Ant (43)
- 工作流 (36)
- 开源应用 (156)
- 其他 (16)
- 前台&美工 (119)
- 工作积累 (0)
- OS&Docker (83)
- Python&爬虫 (28)
- 工具软件 (157)
- 问题收集 (61)
- OFbiz (6)
- noSQL (12)
最新评论
-
HEZR曾嶸:
你好博主,这个不是很理解,能解释一下嘛//左边+1,上边+1, ...
java 两字符串相似度计算算法 -
天使建站:
写得不错,可以看这里,和这里的这篇文章一起看,有 ...
jquery 遍历对象、数组、集合 -
xue88ming:
很有用,谢谢
@PathVariable映射出现错误: Name for argument type -
jnjeC:
厉害,困扰了我很久
MyBatis排序时使用order by 动态参数时需要注意,用$而不是# -
TopLongMan:
非常好,很实用啊。。
PostgreSQL递归查询实现树状结构查询
JspFactory.getDefaultFactory()返回null的异常解决办法:
unable to register a custom ELResolver http://stackoverflow.com/questions/2551517/gae-j-unable-to-register-a-custom-elresolver
I am not sure which servletcontainer GAE uses "under the hoods" (Jetty? Tomcat?), but this is recognizeable as a bug in Tomcat 6.x. A workaround is to force the loading of JspRuntimeContext yourself before getting the factory:
Class.forName("org.apache.jasper.compiler.JspRuntimeContext");
See if this or similar hack helps.
ELResolverhttp://pz0513.blog.51cto.com/443986/112605
能够自定义 EL 表达式求值的变量和属性解析行为。
对一个表达式进行求值时,参考与 ELContext 关联的 ELResolver,以对表达式的第一个变量进行初始解析。遇到 . 或 [] 操作符时也要参考它,但方法表达式中最后一个这样的操作符除外,因为在这种情况下解析规则是固定编码的。
例如,在 EL 表达式 ${employee.lastName} 中,ELResolver 确定 employee 引用的对象,以及获取该对象 lastName 属性的含义。
此类中的大多数方法都接受 base 和 property 参数。如果是变量解析(例如,确定 ${employee.lastName} 中 employee 引用的内容),则 base 参数将为 null,property 参数将总是为 String 类型。这种情况下,如果 property 不是 String,则 ELResolver 的行为未定义。
如果是属性解析,则 base 参数标识 base 对象,property 对象标识 base 上的属性。例如,在表达式 ${employee.lastName} 中,base 是 employee 变量解析的结果,property 是字符串 "lastName"。在表达式 ${y[x]} 中,base 是 y 变量解析的结果,property 是 x 变量解析的结果。
尽管只有一个 ELResolver 与 ELContext 关联,但对于任何给定的变量或属性解析,通常可以使用多个解析器。ELResolver 使用 CompositeELResolver 连接到一起,以定义丰富语义来计算表达式。
对于 #getValue、#getType、#setValue 和 #isReadOnly 方法,ELResolver 不负责解析所有可能的 (base, property) 对。实际上,大部分解析器将仅能处理一种类型的 base。要指示解析器成功地解析特定 (base, property) 对,它必须将 ELContext 的 propertyResolved 属性设置为 true。如果它无法处理给定对,则必须保持此属性不变。如果 propertyResolved 为 false,则调用者必须忽略该方法的返回值。
设计 #getFeatureDescriptors 和 #getCommonPropertyType 方法的主要目的是支持设计时工具,但它们也必须在运行时处理调用。可以使用 java.beans.Beans#isDesignTime 方法确定是否在设计时(或运行时)参考了解析器。
......
详解见原文
原文:http://pukkaone.github.io/2011/01/03/jsp-cross-site-scripting-elresolver.html
Cross-site scripting is a computer security vulnerability enabling an attacker to inject malicious code into a Web page that will be executed by the Web browser when other users view the page. If your Web application accepts data from the user and then outputs that data unaltered in HTML, then it is vulnerable because user-controlled data might contain executable code.
Since JSP 2.0, EL expressions can appear in the template text:
Unfortunately, the JSP container does not escape expression values, so if the expression contains user-controlled data, then cross-site scripting is possible. JSTL provides a couple of ways to sanitize the output. The c:out tag escapes XML characters by default:
Alternatively, the EL function fn:escapeXml also escapes XML characters:
The default option should be the safe option. That's a sensible engineering principle. If EL values are escaped by default, then you're protected from coders who forget to wrap expressions in c:out or fn:escapeXml.
Starting with JSP 2.1, a Web application can register a custom ELResolver. I'm going to present a custom ELResolver that escapes EL values, allowing you to use EL in JSPs while preventing cross-site scripting.
A custom servlet context listener registers the custom ELResolver when the application starts. To use it, define a listener in the web.xml file:
Disable escaping
When you register this custom ELResolver, all EL values will be escaped by default. If you want a JSP to programmatically output HTML, you can resort to a JSP scriptlet or JSP expression, unless the application configured scripting-invalid to true.
Another way uses a custom tag to surround JSP code in which EL values should not be escaped:
The escapeXml attribute is true by default. You must explicitly set it to false in the tag to disable escaping.
Details
The servlet context listener's contextInitialized method calls the JspApplicationContext.addELResolver method to register the custom ELResolver.
The addELResolver method inserts the custom ELResolver into a chain of standard resolvers. When evaluating an expression, the JSP container consults the chain of resolvers in the following order, stopping at the first resolver to succeed:
ImplicitObjectELResolver
ELResolvers registered by the addELResolver method.
MapELResolver
ListELResolver
ArrayELResolver
BeanELResolver
ScopedAttributeELResolver
This presents a slight problem because the custom ELResolver wants to escape the value that would have resulted from consulting the chain. When asked for a value, the custom ELResolver invokes the chain of resolvers. The custom ELResolver is itself in the chain of resolvers, so before invoking the chain, it sets a flag telling itself to do nothing when its turn in the chain comes around.
There's a resolver in the chain before the custom ELResolver. This resolver, ImplicitObjectELResolver, will be invoked twice. First, before reaching the custom ELResolver, and again when the custom ELResolver invokes the chain. Multiple invocations of ImplicitObjectELResolver is harmless because ImplicitObjectELResolver had to fail in order for the custom ELResolver to be invoked. When the custom ELResolver invokes the chain, the ImplicitObjectELResolver will fail again.
A resolver indicates success by setting the propertyResolved property of the ELContext to true. When consulting the chain, one of the resolvers very likely set this property to true, so no other resolvers are invoked after returning from the custom ELResolver.
unable to register a custom ELResolver http://stackoverflow.com/questions/2551517/gae-j-unable-to-register-a-custom-elresolver
I am not sure which servletcontainer GAE uses "under the hoods" (Jetty? Tomcat?), but this is recognizeable as a bug in Tomcat 6.x. A workaround is to force the loading of JspRuntimeContext yourself before getting the factory:
Class.forName("org.apache.jasper.compiler.JspRuntimeContext");
See if this or similar hack helps.
ELResolverhttp://pz0513.blog.51cto.com/443986/112605
能够自定义 EL 表达式求值的变量和属性解析行为。
对一个表达式进行求值时,参考与 ELContext 关联的 ELResolver,以对表达式的第一个变量进行初始解析。遇到 . 或 [] 操作符时也要参考它,但方法表达式中最后一个这样的操作符除外,因为在这种情况下解析规则是固定编码的。
例如,在 EL 表达式 ${employee.lastName} 中,ELResolver 确定 employee 引用的对象,以及获取该对象 lastName 属性的含义。
此类中的大多数方法都接受 base 和 property 参数。如果是变量解析(例如,确定 ${employee.lastName} 中 employee 引用的内容),则 base 参数将为 null,property 参数将总是为 String 类型。这种情况下,如果 property 不是 String,则 ELResolver 的行为未定义。
如果是属性解析,则 base 参数标识 base 对象,property 对象标识 base 上的属性。例如,在表达式 ${employee.lastName} 中,base 是 employee 变量解析的结果,property 是字符串 "lastName"。在表达式 ${y[x]} 中,base 是 y 变量解析的结果,property 是 x 变量解析的结果。
尽管只有一个 ELResolver 与 ELContext 关联,但对于任何给定的变量或属性解析,通常可以使用多个解析器。ELResolver 使用 CompositeELResolver 连接到一起,以定义丰富语义来计算表达式。
对于 #getValue、#getType、#setValue 和 #isReadOnly 方法,ELResolver 不负责解析所有可能的 (base, property) 对。实际上,大部分解析器将仅能处理一种类型的 base。要指示解析器成功地解析特定 (base, property) 对,它必须将 ELContext 的 propertyResolved 属性设置为 true。如果它无法处理给定对,则必须保持此属性不变。如果 propertyResolved 为 false,则调用者必须忽略该方法的返回值。
设计 #getFeatureDescriptors 和 #getCommonPropertyType 方法的主要目的是支持设计时工具,但它们也必须在运行时处理调用。可以使用 java.beans.Beans#isDesignTime 方法确定是否在设计时(或运行时)参考了解析器。
......
详解见原文
原文:http://pukkaone.github.io/2011/01/03/jsp-cross-site-scripting-elresolver.html
Cross-site scripting is a computer security vulnerability enabling an attacker to inject malicious code into a Web page that will be executed by the Web browser when other users view the page. If your Web application accepts data from the user and then outputs that data unaltered in HTML, then it is vulnerable because user-controlled data might contain executable code.
Since JSP 2.0, EL expressions can appear in the template text:
<h1>Hello, ${user.name}</h1>
Unfortunately, the JSP container does not escape expression values, so if the expression contains user-controlled data, then cross-site scripting is possible. JSTL provides a couple of ways to sanitize the output. The c:out tag escapes XML characters by default:
<c:out value="${user.name}"/>
Alternatively, the EL function fn:escapeXml also escapes XML characters:
${fn:escapeXml(user.name)}
The default option should be the safe option. That's a sensible engineering principle. If EL values are escaped by default, then you're protected from coders who forget to wrap expressions in c:out or fn:escapeXml.
Starting with JSP 2.1, a Web application can register a custom ELResolver. I'm going to present a custom ELResolver that escapes EL values, allowing you to use EL in JSPs while preventing cross-site scripting.
A custom servlet context listener registers the custom ELResolver when the application starts. To use it, define a listener in the web.xml file:
<listener> <listener-class>com.github.pukkaone.jsp.EscapeXmlELResolverListener</listener-class> </listener>
Disable escaping
When you register this custom ELResolver, all EL values will be escaped by default. If you want a JSP to programmatically output HTML, you can resort to a JSP scriptlet or JSP expression, unless the application configured scripting-invalid to true.
Another way uses a custom tag to surround JSP code in which EL values should not be escaped:
<%@ taglib prefix="enhance" uri="http://pukkaone.github.com/jsp" %>
<enhance:out escapeXml="false">
I hope this expression returns safe HTML: ${user.name}
</enhance:out>
The escapeXml attribute is true by default. You must explicitly set it to false in the tag to disable escaping.
Details
The servlet context listener's contextInitialized method calls the JspApplicationContext.addELResolver method to register the custom ELResolver.
public void contextInitialized(ServletContextEvent event) {
JspFactory.getDefaultFactory()
.getJspApplicationContext(event.getServletContext())
.addELResolver(new EscapeXmlELResolver());
}
The addELResolver method inserts the custom ELResolver into a chain of standard resolvers. When evaluating an expression, the JSP container consults the chain of resolvers in the following order, stopping at the first resolver to succeed:
ImplicitObjectELResolver
ELResolvers registered by the addELResolver method.
MapELResolver
ListELResolver
ArrayELResolver
BeanELResolver
ScopedAttributeELResolver
This presents a slight problem because the custom ELResolver wants to escape the value that would have resulted from consulting the chain. When asked for a value, the custom ELResolver invokes the chain of resolvers. The custom ELResolver is itself in the chain of resolvers, so before invoking the chain, it sets a flag telling itself to do nothing when its turn in the chain comes around.
private boolean gettingValue;
@Override
public Object getValue(ELContext context, Object base, Object property)
throws NullPointerException, PropertyNotFoundException, ELException
{
if (gettingValue) {
return null;
}
gettingValue = true;
Object value = context.getELResolver().getValue(
context, base, property);
gettingValue = false;
if (value instanceof String) {
value = EscapeXml.escape((String) value);
}
return value;
}
There's a resolver in the chain before the custom ELResolver. This resolver, ImplicitObjectELResolver, will be invoked twice. First, before reaching the custom ELResolver, and again when the custom ELResolver invokes the chain. Multiple invocations of ImplicitObjectELResolver is harmless because ImplicitObjectELResolver had to fail in order for the custom ELResolver to be invoked. When the custom ELResolver invokes the chain, the ImplicitObjectELResolver will fail again.
A resolver indicates success by setting the propertyResolved property of the ELContext to true. When consulting the chain, one of the resolvers very likely set this property to true, so no other resolvers are invoked after returning from the custom ELResolver.
分享到:
评论
1 楼
nizen
2013-08-02
一个比较纠结的问题是,resolver初衷是解决不能解析的base,但是在这里,目的是在已解析的基础上做一层封装。正是由于这个不同,最终导致在xss过滤前可能会出现递归调用resolver。pukkaone的做法是通过成员变量+threadLocal来识别是否已调用。这个有没更优雅的实现?
发表评论
-
JSTL 的 if else : 有 c:if 没有 else 的处理
2016-06-14 09:52 1293http://blog.csdn.net/xiyuan1999 ... -
基于spring,Atomikos,mybatis的分布式动态数据源JTA实现
2016-04-27 16:37 1032原文;http://www.blogjava.net/zuxi ... -
Servlet3.0新特性@WebServlet
2016-03-09 21:35 1577http://my.oschina.net/u/2416019 ... -
Spring+Mybatis+Velocity
2015-12-17 09:55 939原文: http://my.oschina.net/langh ... -
Freemarker页面语法
2015-12-03 10:29 1175Freemarker页面语法http://ji ... -
session过期后自动跳转到登陆页
2015-12-02 15:36 2535session过期后自动跳转到登陆页http://blog.c ... -
apache shiro - 动态创建filterchaindefinitions
2015-12-01 14:33 2487http://www.360doc.com/content/1 ... -
java代码中获取classpath路径
2015-11-27 11:40 1970http://blog.csdn.net/magi1201/a ... -
springmvc整合 sitemesh + freemarker+spring ioc
2015-11-24 19:30 2265使用freemarker.properties配置方式: ht ... -
Sitemesh 3 的使用及配置
2015-11-17 09:33 1014Sitemesh 3 的使用及配置 http://www.cn ... -
SpringMVC + Mybatis + Shiro 权限整合
2015-11-14 14:06 8700详细见参考文章: 基于Spring + Spring MVC ... -
Servlet中listener(监听器)和filter的总结
2015-04-10 23:14 1145http://my.oschina.net/ydsakyclg ... -
Spring Security 3.2.x 配置
2014-06-15 22:02 3861使用 Spring Security 保护 Web 应用的安全 ... -
SpringMVC + WebSocket + X
2014-06-12 10:45 4559官方文档:WebSocket Support http://d ... -
JSTL empty判断空值
2014-06-06 08:51 1296http://sphinx-yong.iteye.com/bl ... -
weblogic getServletContext().getRealPath("/")
2014-05-30 08:35 1816http://1185734295.iteye.com/blo ... -
上传文件到虚拟路径下
2014-05-16 23:44 1964http://guard.iteye.com/blog/206 ... -
在 Web 项目中应用 Apache Shiro
2014-03-17 15:00 1045http://www.ibm.com/developerwor ... -
SpringMVC3.2.x + Hibernate4.2.x + ecache + Spring Security 3.0.5
2014-01-20 09:24 1320这只是部分代码,一些代码可以参考:http://panyong ... -
SpringMVC3.2.x + Hibernate4.2.x + ecache
2013-05-18 12:50 2071附件是源码 pom.xml ---------------- ...
相关推荐
You will then focus on one of the most common JavaScript security attacks, cross-site scripting, and how to prevent cross-site scripting and cross-site forgery. Last but not least, the book covers ...
Defend against cross-site scripting, cross-site request forgery, and clickjacking Protect sensitive data while it is stored or in transit Prevent SQL injection and other injection attacks Ensure safe ...
Moreover, this book covers a wide swath of security measures, showing readers how to create and deploy captchas, validate email, fend off SQL injection attacks, prevent cross-site scripting attempts,...
So you'll learn how to encrypt your confidential data, safeguard your passwords, and prevent common cross-site-scripting attacks. And you'll learn how to customize all of the scripts to fit your own ...
Prevent-Screen-Off Featured in: Medium What is this library for? Ideally, when you user is looking at the screen, your application should not turn the screen off. This is huge deal for the ...
Dropout:A Simple Way to Prevent Neural Networks from Overfitting.zip
and spiders to investigate an entire website Identify cross-site scripting and client-side vulnerabilities Exploit vulnerabilities that allow the insertion of code into web applications Exploit ...
Prevent-Screen-Off:这个库实现当用户看屏幕时,将一直保持屏幕不关掉
"Prevent Running" hajacks several system API to prevent not-in-use apps in prevent list from running or keep running. Furthermore, it applies to system apps too, specially, support google-family apps...
Common System and Software Testing Pitfalls How to Prevent and Mitigate Them 英文epub 本资源转载自网络,如有侵权,请联系上传者或csdn删除
GitHub源-https://github.com/aghorler/WebRTC-Leak-Prevent-Toggle CHANGELOG 1.0.14-自动保存选项。 1.0.11-现在,选件在首次安装时会自动打开,并提供新的说明。 1.0.10-更改GitHub用户名,非常小的修复。 1.0.9-...
Tita 等 - 2023 - Azithromycin to Prevent Sepsis or Death in Women P.pdf
npm install prevent-backspace 成分 component install jprichardson/prevent-backspace 例子 var preventBackspace = require ( 'prevent-backspace' ) preventBackspace ( ) //hitting `backspace` outside of...
防止复制粘贴 防止复制和粘贴的 Javascript 库。 这会为本身不支持它的... 用法 <!-- Include library --> [removed][removed] ...-- Input with onpaste property -->...input type="text" onpaste="return false;...
ISO 13857:2019 Safety of machinery - Safety distances to prevent
Beej's Guide to Network Programming has been one of the top socket programming guides on the Internet for the last 15 years, and it's now for the first time available as a lovingly bound paperback ...
$ yarn add prevent-pull-refresh 用法 import 'prevent-pull-refresh' ; 要么 < script src =" //unpkg.com/prevent-pull-refresh " > </ script > 执照 麻省理工学院:copyright:
防止网页抓取的指南 (或者至少使它更难) 注:这是我的堆栈溢出的答案的扩展版本,我把它放在这里在GitHub上,因为它太长了SO(30K字是最大,这是超过40K个字符)。 随意修改,混音和共享-该文件已获得许可。...
Face anti-spoofing is crucial to prevent face recognition systems from a security breach. Previous deep learning ap- proaches formulate face anti-spoofing as a binary classifi- cation problem. Many of...