英文:
How to suppress the decoding of encoded value of an html text box by Transformer of javax.xml.transform.Transformer
问题
以下是翻译好的内容:
我正在尝试使用javax.xml.transform.Transformer从xslt准备一个html。
为此,我有以下代码 ---
private static TransformerFactory factory;
static {
factory = TransformerFactory.newInstance();
}
private static synchronized String process(Source xmlSource, Source xslSheet, HashMap<?, ?> params, String systemId) {
if (systemId != null) {
xslSheet.setSystemId(systemId);
}
ByteArrayOutputStream buf = new ByteArrayOutputStream();
StreamResult xmlResult = new StreamResult(buf);
Transformer tfm;
try {
tfm = factory.newTransformer(xslSheet);
} catch (TransformerConfigurationException e) {
throw new IllegalStateException(e);
}
String result = ConversionUtils.toString(buf.toByteArray());
IOUtils.close(buf);
return result;
}
我使用xsl为变换器对象提供HTML定义。以下是文本框的xsl定义(对于该文本框,我遇到了问题[其值的编码被删除])--
<xsl:text disable-output-escaping='yes'><input type="text" name="search" placeholder="Keyword search ..." size="40" value="</xsl:text>
<xsl:value-of select="$search" disable-output-escaping='no'/>
<xsl:text disable-output-escaping='yes'>"/></xsl:text>
在上述代码中,文本框的值从第二行开始填充。在该行中,我引用了具有编码值的Java变量$search。
我的问题是Transformer对象在准备HTML时解码了该编码文本内容。我不想要这种默认行为。
由于这种默认行为,最终的HTML页面在该文本框中具有未转义的值。由于这个问题,整个HTML页面容易受到XSS攻击。
例如,如果文本框的值如下所示 --
1234"onmouseover="[window['location']='\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x2820\x29']"
对此值进行编码后将变为 --
1234\x22onmouseover=\x22[window[\x27location\x27]=\x27\\x6a\\x61\\x76\\x61\\x73\\x63\\x72\\x69\\x70\\x74\\x3a\\x61\\x6c\\x65\\x72\\x74\\x2820\\x29\x27]\x22
如果我们直接将其放在文本框的值中,上述值将作为文本框内容显示。但是变换器对象在准备HTML时会再次解码此编码值。
有没有办法可以关闭变换器对象的这种默认行为。
提前感谢您的回答。
Rahul
英文:
I am trying to prepare an html using javax.xml.transform.Transformer from an xslt.
For that I am having below code ---
private static TransformerFactory factory;
static {
factory = TransformerFactory.newInstance();
}
private static synchronized String process(Source xmlSource, Source xslSheet, HashMap<?, ?> params, String systemId) {
if ( systemId != null ){
xslSheet.setSystemId(systemId);
}
ByteArrayOutputStream buf = new ByteArrayOutputStream();
StreamResult xmlResult = new StreamResult(buf);
Transformer tfm;
try {
tfm = factory.newTransformer(xslSheet);
} catch (TransformerConfigurationException e) {
throw new IllegalStateException(e);
}
String result = ConversionUtils.toString(buf.toByteArray());
IOUtils.close(buf);
return result;
}
I am using xsl for providing HTML definition to transformer object. Below is the xsl definition of the text box (for which I am facing issue[encoding is getting removed for its value]) --
<xsl:text disable-output-escaping='yes'>&lt;input type="text" name="search" placeholder="Keyword search ..." size="40" value="</xsl:text>
<xsl:value-of select="$search" disable-output-escaping='no'/>
<xsl:text disable-output-escaping='yes'>"/&gt;</xsl:text>
In the above code the text box value is populating from the 2nd line. In that line I am referring $search java variable which is having encoded value.
My issue is Transformer object is decoding that encoded text content while preparing the html. I dont want this default behavior.
Because of this default behavior, final html is having unescaped value for that text box. Due to this overall html page is getting vulnerable to XSS attack.
For example if I am having below value for text box --
1234"onmouseover="[window['location']='\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x2820\x29']"
After encoding this value will become -
1234\x22onmouseover=\x22[window[\x27location\x27]=\x27\\x6a\\x61\\x76\\x61\\x73\\x63\\x72\\x69\\x70\\x74\\x3a\\x61\\x6c\\x65\\x72\\x74\\x2820\\x29\x27]\x22
Above value will populate as text box content if we directly put that against a value of text box. But transformer object is again decoding this encoded value while preparing the html.
Is there any way, i can turn off this default behavior of transformer object.
Thanks in advance
Rahul
专注分享java语言的经验与见解,让所有开发者获益!
评论