J2EE XSS漏洞防护与编码技术详解<\/h1>

1. Struts框架中的XSS防护机制<\/h2>

1.1 Struts1的防护机制<\/h3>
在Struts1框架中，<bean:write><\/code>标签提供了XSS防护功能：<\/p>
<% 
String test="<script>alert(1)<\/script>"; 
request.setAttribute("test",test);
%>
<bean:write name="test"\/><\/BR>
<bean:write name="test" filter="false"\/>
<\/code><\/pre>

filter属性<\/strong>：默认值为true<\/code>，会将输出内容中的特殊HTML符号作为普通字符串显示<\/li>
当filter="false"<\/code>时，会禁用HTML转义，可能导致XSS漏洞<\/li>
<\/ul>
1.2 Struts2的防护机制<\/h3>
在Struts2框架中，<s:property><\/code>标签默认提供XSS防护：<\/p>
<s:property value="%{name}" \/>
<\/code><\/pre>
标签实现的关键属性：<\/p>
public<\/span> class<\/span> PropertyTag<\/span> extends<\/span> ComponentTagSupport {<\/span>
<\/span><\/span>    private<\/span> boolean<\/span> escapeHtml =<\/span> true<\/span>;<\/span>    \/\/ 默认开启HTML转义
<\/span><\/span><\/span><\/span>    private<\/span> boolean<\/span> escapeJavaScript =<\/span> false<\/span>;<\/span>
<\/span><\/span>    private<\/span> boolean<\/span> escapeXml =<\/span> false<\/span>;<\/span>
<\/span><\/span>    private<\/span> boolean<\/span> escapeCsv =<\/span> false<\/span>;<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
底层实现依赖于commons-lang3<\/code>包中的StringEscapeUtils.escapeHtml4(String)<\/code><\/li>
<\/ul>
2. ESAPI编码技术详解<\/h2>
2.1 HTML编码<\/h3>
String ESAPI.<\/span>encoder<\/span>().<\/span>encodeForHTML<\/span>(<\/span>string)<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

空格、字母、数字不进行编码<\/li>
特殊字符使用HTML实体替代：

引号("<\/code>) → &quot;<\/code><\/li>
大于号(><\/code>) → &gt;<\/code><\/li>
小于号(<<\/code>) → &lt;<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
2.2 HTML属性编码<\/h3>
String ESAPI.<\/span>encoder<\/span>().<\/span>encodeForHTMLAttribute<\/span>(<\/span>string)<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

与HTML编码基本相同<\/li>
关键区别<\/strong>：不编码空格<\/li>
<\/ul>
2.3 JavaScript编码<\/h3>
String ESAPI.<\/span>encoder<\/span>().<\/span>encodeForJavaScript<\/span>(<\/span>String)<\/span>
<\/span><\/span><\/code><\/pre>编码规则<\/strong>：<\/p>

数字、字母直接返回<\/li>
小于256的字符 → \xHH<\/code>格式（H为十六进制）<\/li>
大于256的字符 → \uHHHH<\/code>格式<\/li>
<\/ol>
2.4 CSS编码<\/h3>
String ESAPI.<\/span>encoder<\/span>().<\/span>encodeForCSS<\/span>(<\/span>String)<\/span>
<\/span><\/span><\/code><\/pre>编码规则<\/strong>：<\/p>

使用反斜杠(\<\/code>)加十六进制数进行编码<\/li>
<\/ul>
2.5 URL编码<\/h3>
String ESAPI.<\/span>encoder<\/span>().<\/span>encodeForURL<\/span>(<\/span>String)<\/span>
<\/span><\/span><\/code><\/pre>编码过程<\/strong>：<\/p>

将字符串转换为UTF-8编码<\/li>
对转换后的字符串使用%<\/code>加十六进制数的方式编码<\/li>
<\/ol>
3. 防御XSS的最佳实践<\/h2>


输出编码<\/strong>：根据输出上下文选择合适的编码方式<\/p>

HTML内容 → encodeForHTML<\/code><\/li>
HTML属性 → encodeForHTMLAttribute<\/code><\/li>
JavaScript → encodeForJavaScript<\/code><\/li>
CSS → encodeForCSS<\/code><\/li>
URL → encodeForURL<\/code><\/li>
<\/ul>
<\/li>

框架特性<\/strong>：<\/p>

Struts1中确保<bean:write><\/code>的filter<\/code>属性为true<\/code>（默认值）<\/li>
Struts2中<s:property><\/code>默认安全，避免设置escapeHtml="false"<\/code><\/li>
<\/ul>
<\/li>

内容安全策略(CSP)<\/strong>：作为深度防御措施<\/p>
<\/li>

输入验证<\/strong>：虽然不能替代输出编码，但可以作为额外防护层<\/p>
<\/li>
<\/ol>