1、Client Use Of JQuery Outdated Version
可将jQuery具体版本号删除;
2、Client Potential XSS
可对用户输入的进行过滤
如,编写过滤方法
String xssFilter(String value){
value = value.replaceall(">",">");
value = value.replaceall("<","<");
value = value.replaceall("\"",""");
value = value.replaceall("'","'");
value = value.replaceall("\r","");
value = value.replaceall("\n","");
value = value.replaceall("\r\n","");
retrun value;
}
3、Trust Boundary Violation
信任边界,无影响,可忽略;
4、CGI Stored XSS
可对用户输入的进行过滤
如,编写过滤方法
String xssFilter(String value){
value = value.replaceall(">",">");
value = value.replaceall("<","<");
value = value.replaceall("\"",""");
value = value.replaceall("'","'");
value = value.replaceall("\r","");
value = value.replaceall("\n","");
value = value.replaceall("\r\n","");
retrun value;
}
5、Use of Cryptographically Weak PRNG
弱加密类,无影响,可忽略;
6、Use of Insufficiently Random Values
伪随机数,无影响,可忽略;
7、Client DOM XSRF
可使用CSRF token技术,可在表单写一个隐藏的input,其值为随机生成的字符串,校验方法和图形验证码类似;
8、Cross Site History Manipulation
url携带参数,无需整改;