开源软件名称(OpenSource Name):coverity/coverity-security-library开源软件地址(OpenSource Url):https://github.com/coverity/coverity-security-library开源编程语言(OpenSource Language):Java 100.0%开源软件介绍(OpenSource Introduction):Coverity Security LibraryThe Coverity Security Library (CSL) is a lightweight set of escaping routines for fixing cross-site scripting (XSS), SQL injection, and other security defects in Java web applications. Here's why it's worth checking out:
Users of Coverity Security Advisor get remediation guidance based on escaping routines in CSL. However, CSL is a standalone project with no dependencies on Security Advisor. EscapeThe Escape class contains several escapers for web content. These escaping functions help remedy common defects (mostly cross-site scripting) that occur when the data is inserted into HTML element, HTML attribute values, URI, JavaScript strings, SQL LIKE clauses, etc. More information are available in the Escape directory. Before using any of these methods, you should understand the context (or nested contexts) in which the data is inserted. Several mockup examples with explanation are available in the repository, and more will be available on our blog. If you want to test the library to understand how it whistands security attacks, our functional testsuite is the right app to build/deploy/test. Ready to use it? One last step is to have a look at the latest javadoc directly on github. To include this library into your Maven project, add the following: <dependency>
<groupId>com.coverity.security</groupId>
<artifactId>coverity-escapers</artifactId>
<version>1.1.1</version>
</dependency> or drop the JAR file in the Then you can use it directly in your JSPs: <%@ taglib uri="http://coverity.com/security" prefix="cov" %>
<script type="text/javascript">
var x = '${cov:jsStringEscape(param.tainted)}';
</script>
<div onclick="alert('${cov:htmlEscape(cov:jsStringEscape(param.tainted))}')">
${cov:htmlEscape(param.tainted)}
</div> or in your Java programs: import com.coverity.security.Escape;
// ...
return "<div onclick='alert(\""
+ Escape.html(Escape.jsString(request.getParameter("tainted")))
+ "\")'>"
+ Escape.html(request.getParameter("tainted"))
+ "</div>"; To contact the SRL, please email us at sig-srl@synopsys.com. Fork away, we look forward to your pull requests! License
|
2023-10-27
2022-08-15
2022-08-17
2022-09-23
2022-08-13
请发表评论