security - How to ignore "script" in url? -
i new jsp.
i have following url call application:
http://machine.domain.com:8383/eqube70/buildnplay
this works great , calles index.jsp per expectations.
but if request url changed as:
http://machine.domain.com:8383/eqube70/buildnplay/?--%3e%3c/script%3e%3cscript%3ealert('you got hacked')%3c/script%3e
then alert , not able application working. script in request url gets executed.
now want way ignore script in url before gets passed jsp.
is there way can achieve this?
for quick way can run input parameters through function replaces < , > else.
private string replacegtlt(string str) { if(str==null) return null; return str.replaceall("<", "[").replaceall(">", "]"); } string parameterx = replacegtlt(request.getparameter("parameterx"));
of course, [script]alert('you got hacked')[/script]
still in input, won't run in browser due changing angular brackets square brackets.
Comments
Post a Comment