EscapeHtmlReference的escape方法调用以下方法实现:
StringEscapeUtils.escapeHtml(param); 再调用
org.apache.commons.lang.Entities.HTML40.escape(writer, string);
代码如下:
public void escape(Writer writer, String str) throws IOException {
int len = str.length();
for(int i = 0; i < len; ++i) {
char c = str.charAt(i);
String entityName = this.entityName(c);
if(entityName == null) {
if(c > 127) {
writer.write("&#");
writer.write(Integer.toString(c, 10));
writer.write(59); //就是个分号
} else {
writer.write(c);
}
} else {
writer.write(38);
writer.write(entityName);
writer.write(59);
}
}
}
我们也可以自己调用
StringEscapeUtils.escapeHtml(param);
比如:
String param = request.getParameter("p");
String x = StringEscapeUtils.escapeHtml(param);
System.out.println(x);
输入 <script>alert(/xxx/)</script> 输出 <script>alert(/xxx/)</script>
velocity 也可以自定义 EventHandler 处理xss,配置EscapeHtmlReference 替换成自己的EventHandler
<bean id="velocityConfigurer"
class="org.springframework.web.servlet.view.velocity.VelocityConfigurer">
<property name="resourceLoaderPath" value="/WEB-INF/pages/"/>
<property name="velocityProperties">
<props>
<prop key="input.encoding">utf-8</prop>
<prop key="output.encoding">utf-8</prop>
<prop key="eventhandler.referenceinsertion.class">org.apache.velocity.app.event.implement.EscapeHtmlReference</prop>
<prop key="eventhandler.escape.html.match">/^(?!\$\!?unesc_).*/</prop>
</props>
</property>
</bean>