search

zhouit / Zblog

a java blog
http://blog.zhouhaocheng.cn
Apache License 2.0
249 stars 198 forks source link

@RequestBody 是否也会存在xss #28

Closed afredlyj closed 8 years ago

afredlyj commented 8 years ago

网上实现自己的HttpServletRequestWrapper,只会重写getHeader, getParameter等方法,如果是将请求体放到body里面,其实是通过request.getInputStream获取到的数据,也会存在xss。

zhouit commented 8 years ago

request.getInputStream获取的流可能不是application/x-www-form-urlencoded