一、漏洞类型说明
1、 高危漏洞
高危漏洞包括:SQL注入漏洞、XSS跨站脚本漏洞、页面存在源代码泄露、网站存在备份文件、网站存在包含SVN信息的文件、网站存在Resin任意文件读取漏洞。
SQL注入漏洞:网站程序忽略了对输入字符串中包含的SQL语句的检查,使得包含的SQL语句被数据库误认为是合法的SQL指令而运行,导致数据库中各种敏感数据被盗取、更改或删除。
XSS跨站脚本漏洞:网站程序忽略了对输入字符串中特殊字符与字符串(如<>’”
function RemoveXSS($val){
$val = preg_replace(‘/([x00-x08][x0b-x0c][x0e-x20])/’, ”, $val);
$search = ‘abcdefghijklmnopqrstuvwxyz’;
$search.= ‘ABCDEFGHIJKLMNOPQRSTUVWXYZ’;
$search.= ’1234567890!@#$%^&*()’;
$search.= ‘~`”;:?+/={}[]-_|’\';
for ($i = 0; $i < strlen($search); $i++) {
$val = preg_replace(‘/(&#[x|X]0{0,8}’.dechex(ord($search[$i])).’;?)/i’, $search[$i], $val);
$val = preg_replace(‘/(�{0,8}’.ord($search[$i]).’;?)/’, $search[$i], $val);
}
$ra1 = array(‘javascript’, ‘vbscript’, ‘expression’, ‘applet’, ‘meta’, ‘xml’, ‘blink’, ‘link’, ‘style’, ‘script’, ‘embed’, ‘object’, ‘iframe’, ‘frame’, ‘frameset’, ‘ilayer’, ‘layer’, ‘bgsound’, ‘title’, ‘base’);
$ra2 = array(‘onabort’, ‘onactivate’, ‘onafterprint’, ‘onafterupdate’, ‘onbeforeactivate’, ‘onbeforecopy’, ‘onbeforecut’, ‘onbeforedeactivate’, ‘onbeforeeditfocus’, ‘onbeforepaste’, ‘onbeforeprint’, ‘onbeforeunload’, ‘onbeforeupdate’, ‘onblur’, ‘onbounce’, ‘oncellchange’, ‘onchange’, ‘onclick’, ‘oncontextmenu’, ‘oncontrolselect’, ‘oncopy’, ‘oncut’, ‘ondataavailable’, ‘ondatasetchanged’, ‘ondatasetcomplete’, ‘ondblclick’, ‘ondeactivate’, ‘ondrag’, ‘ondragend’, ‘ondragenter’, ‘ondragleave’, ‘ondragover’, ‘ondragstart’, ‘ondrop’, ‘onerror’, ‘onerrorupdate’, ‘onfilterchange’, ‘onfinish’, ‘onfocus’, ‘onfocusin’, ‘onfocusout’, ‘onhelp’, ‘onkeydown’, ‘onkeypress’, ‘onkeyup’, ‘onlayoutcomplete’, ‘onload’, ‘onlosecapture’, ‘onmousedown’, ‘onmouseenter’, ‘onmouseleave’, ‘onmousemove’, ‘onmouseout’, ‘onmouseover’, ‘onmouseup’, ‘onmousewheel’, ‘onmove’, ‘onmoveend’, ‘onmovestart’, ‘onpaste’, ‘onpropertychange’, ‘onreadystatechange’, ‘onreset’, ‘onresize’, ‘onresizeend’, ‘onresizestart’, ‘onrowenter’, ‘onrowexit’, ‘onrowsdelete’, ‘onrowsinserted’, ‘onscroll’, ‘onselect’, ‘onselectionchange’, ‘onselectstart’, ‘onstart’, ‘onstop’, ‘onsubmit’, ‘onunload’);
$ra = array_merge($ra1, $ra2);
$found = true;
while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
$pattern = ‘/’;
for ($j = 0; $j < strlen($ra[$i]); $j++) {
if ($j > 0) {
$pattern .= ‘(‘;
$pattern .= ‘(&#[x|X]0{0,8}([9][a]);?)?’;
$pattern .= ‘|(�{0,8}([9][10][13]);?)?’;
$pattern .= ‘)?’;
}
$pattern .= $ra[$i][$j];
}
$pattern .= ‘/i’;
$replacement = substr($ra[$i], 0, 2).’’.substr($ra[$i], 2);
$val = preg_replace($pattern, $replacement, $val);
if ($val_before == $val) {
$found = false;
}
}
}
return $val;
}
echo RemoveXSS("alert('hello world!');")
黑客用XSS攻击有多种方式,PHP的内置函数不能应对各种各样的XSS攻击。因此,使用filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars,strip_tags等功能也不能做到100%的防护。你需要一个更好的机制,这是你的解决方案:
<?php
function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);
// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);
// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);
// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);
www.2cto.com
do
{
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);
// we are done...
return $data;
}
?>
The goal of this function is to be a generic function that can be used to parse almost any input and render it XSS safe. For more information on actual XSS attacks, check out http://ha.ckers.org/xss.html. Another excellent site is the XSS Database which details each attack and how it works.
PHP代码
<?php
function RemoveXSS($val) {
// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
// this prevents some character re-spacing such as <java/0script>
// note that you have to handle splits with /n, /r, and /t later since they *are* allowed in some inputs
$val = preg_replace(‘/([/x00-/x08,/x0b-/x0c,/x0e-/x19])/’, ”, $val);
// straight replacements, the user should never need these since they’re normal characters
// this prevents like <IMG SRC=@avascript:alert(‘XSS’)>
$search = ‘abcdefghijklmnopqrstuvwxyz’;
$search .= ‘ABCDEFGHIJKLMNOPQRSTUVWXYZ’;
$search .= ’1234567890!@#$%^&*()’;
$search .= ‘~`”;:?+/={}[]-_|/’//’;
for ($i = 0; $i < strlen($search); $i++) {
// ;? matches the ;, which is optional
// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
// @ @ search for the hex values
$val = preg_replace(‘/(&#[xX]0{0,8}’.dechex(ord($search[$i])).’;?)/i’, $search[$i], $val); // with a ;
// @ @ 0{0,7} matches ’0′ zero to seven times
$val = preg_replace(‘/(�{0,8}’.ord($search[$i]).’;?)/’, $search[$i], $val); // with a ;
}
// now the only remaining whitespace attacks are /t, /n, and /r
$ra1 = Array(‘javascript’, ‘vbscript’, ‘expression’, ‘applet’, ‘meta’, ‘xml’, ‘blink’, ‘link’, ‘style’, ‘script’, ‘embed’, ‘object’, ‘iframe’, ‘frame’, ‘frameset’, ‘ilayer’, ‘layer’, ‘bgsound’, ‘title’, ‘base’);
$ra2 = Array(‘onabort’, ‘onactivate’, ‘onafterprint’, ‘onafterupdate’, ‘onbeforeactivate’, ‘onbeforecopy’, ‘onbeforecut’, ‘onbeforedeactivate’, ‘onbeforeeditfocus’, ‘onbeforepaste’, ‘onbeforeprint’, ‘onbeforeunload’, ‘onbeforeupdate’, ‘onblur’, ‘onbounce’, ‘oncellchange’, ‘onchange’, ‘onclick’, ‘oncontextmenu’, ‘oncontrolselect’, ‘oncopy’, ‘oncut’, ‘ondataavailable’, ‘ondatasetchanged’, ‘ondatasetcomplete’, ‘ondblclick’, ‘ondeactivate’, ‘ondrag’, ‘ondragend’, ‘ondragenter’, ‘ondragleave’, ‘ondragover’, ‘ondragstart’, ‘ondrop’, ‘onerror’, ‘onerrorupdate’, ‘onfilterchange’, ‘onfinish’, ‘onfocus’, ‘onfocusin’, ‘onfocusout’, ‘onhelp’, ‘onkeydown’, ‘onkeypress’, ‘onkeyup’, ‘onlayoutcomplete’, ‘onload’, ‘onlosecapture’, ‘onmousedown’, ‘onmouseenter’, ‘onmouseleave’, ‘onmousemove’, ‘onmouseout’, ‘onmouseover’, ‘onmouseup’, ‘onmousewheel’, ‘onmove’, ‘onmoveend’, ‘onmovestart’, ‘onpaste’, ‘onpropertychange’, ‘onreadystatechange’, ‘onreset’, ‘onresize’, ‘onresizeend’, ‘onresizestart’, ‘onrowenter’, ‘onrowexit’, ‘onrowsdelete’, ‘onrowsinserted’, ‘onscroll’, ‘onselect’, ‘onselectionchange’, ‘onselectstart’, ‘onstart’, ‘onstop’, ‘onsubmit’, ‘onunload’);
$ra = array_merge($ra1, $ra2);
$found = true; // keep replacing as long as the previous round replaced something
while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
$pattern = ‘/’;
for ($j = 0; $j < strlen($ra[$i]); $j++) {
if ($j > 0) {
$pattern .= ‘(‘;
$pattern .= ‘(&#[xX]0{0,8}([9ab]);)’;
$pattern .= ‘|’;
$pattern .= ‘|(�{0,8}([9|10|13]);)’;
$pattern .= ‘)*’;
}
$pattern .= $ra[$i][$j];
}
$pattern .= ‘/i’;
$replacement = substr($ra[$i], 0, 2).’<x>’.substr($ra[$i], 2); // add in <> to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
if ($val_before == $val) {
// no replacements were made, so exit the loop
$found = false;
}
}
}
return $val;
}
php过滤xss函数
<?php /** * @过滤XSS(跨站脚本攻击)的函数 * @par $val 字符串参数,可能包含恶意的脚本代码如 * <script language="javascript">alert("hello world");</script> * @return 处理后的字符串 * @Recoded By Androidyue **/ function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) // and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, // and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val); // straight replacements, the user should never need these // since they're normal characters // this prevents like ![](@avascript:alert() $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[xX]0{0,8}([9ab]);)'; $pattern .= '|'; $pattern .= '|(�{0,8}([9|10|13]);)'; $pattern .= ')*'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } //测试一下效果 //echo RemoveXSS("<script language='javascript'>alert('hello world');</script>") ; ?>
javascript过滤xss
javascript过滤xss只是一种防君子不防小人的方法,可以两种方式,第一种是将尖括号和引号转义掉,如下面大代码:
function(cont){ cont = cont.replace(/&/g, '&'); cont = cont.replace(/</g, '<').replace(/>/g, '>'); cont = cont.replace(/\'/g, ''').replace(/\"/g, '"'); return cont; };
第二种是动态创建一个dom,然后将str作为innerText,之后动态的取innerHTML出来,就可以是经过转义的内容了,
注:感谢 Jackmasa 指出问题,其实这里还是会有问题,详细见文章:《前端安全》
apache防止svn版本库被浏览
前几天炒的比较热的svn版本库被爆的问题,自己查了下找到了简单的解决apache的svn版本库被浏览方式,nginx也是类似的禁用.svn的浏览
apache禁用svn
<Directory ~ ".svn"> Order allow,deny Deny from all </Directory>
### nginx禁用svn ```text location ~ /.svn/ { deny all; }
jsp过滤非法字符输入 防止XSS跨站攻击
一、写一个过滤器,代码如下:
java 防止 XSS 攻击的常用方法总结.
2. 采用开源的实现 ESAPI library ,参考网址: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
3. 可以采用spring 里面提供的工具类来实现.
配置过滤器
public class XSSFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void destroy() { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response); } }再实现 ServletRequest 的包装类
import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XSSRequestWrapper extends HttpServletRequestWrapper { public XSSRequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); } @Override public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = stripXSS(values[i]); } return encodedValues; } @Override public String getParameter(String parameter) { String value = super.getParameter(parameter); return stripXSS(value); } @Override public String getHeader(String name) { String value = super.getHeader(name); return stripXSS(value); } private String stripXSS(String value) { if (value != null) { // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to // avoid encoded attacks. // value = ESAPI.encoder().canonicalize(value); // Avoid null characters value = value.replaceAll("", ""); // Avoid anything between script tags Pattern scriptPattern = Pattern.compile("(.*?)", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid anything in a src="http://www.yihaomen.com/article/java/..." type of expression scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome tag scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome tag scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid expression(...) expressions scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid οnlοad= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); } return value; } }例子中注释的部分,就是采用 ESAPI library 来防止XSS攻击的,推荐使用.
当然,我还看到这样一种办法,将所有的编程全角字符的解决方式,但个人觉得并没有上面这种用正则表达式替换的好
private static String xssEncode(String s) { if (s == null || s.equals("")) { return s; } StringBuilder sb = new StringBuilder(s.length() + 16); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); switch (c) { case '>': sb.append('>');// 全角大于号 break; case '<': sb.append('<');// 全角小于号 break; case '\'': sb.append('\\'); sb.append('\''); sb.append('\\'); sb.append('\''); break; case '\"': sb.append('\\'); sb.append('\"');// 全角双引号 break; case '&': sb.append('&');// 全角 break; case '\\': sb.append('\');// 全角斜线 break; case '#': sb.append('#');// 全角井号 break; case ':': sb.append(':');// 全角冒号 break; case '%': sb.append("\\\\%"); break; default: sb.append(c); break; } } return sb.toString(); }
当然,还有如下更简单的方式:
private String cleanXSS(String value) { //You'll need to remove the spaces from the html entities below value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); value = value.replaceAll("'", "& #39;"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("script", ""); return value; }在后台或者用spring 如何实现:
首先添加一个jar包:commons-lang-2.5.jar ,然后在后台调用这些函数:
StringEscapeUtils.escapeHtml(string); StringEscapeUtils.escapeJavaScript(string); StringEscapeUtils.escapeSql(string);
http://josephoconnell.com/java/xss-html-filter/
推荐使用OWASP提供的ESAPI函数库,它提供了一系列非常严格的用于进行各种安全编码的函数。在当前这个例子里,你可以使用:
String encodedContent = ESAPI.encoder().encodeForHTML(request.getParameter(“input”));
可以使用ESAPI提供的函数进行HTML属性编码:
String encodedContent = ESAPI.encoder().encodeForHTMLAttribute(request.getParameter(“input”));
可以使用ESAPI提供的函数进行JavaScript编码:
String encodedContent = ESAPI.encoder().encodeForJavaScript
(request.getParameter(“input”));
可以使用ESAPI提供的函数进行CSS编码:
String encodedContent =
ESAPI.encoder().encodeForCSS(request.getParameter(“input”));
可以使用ESAPI提供的函数进行URL编码:
String encodedContent =
ESAPI.encoder().encodeForURL(request.getParameter(“input”));
ESAPI还提供了一些用于检测不可信数据的函数,在这里我们可以使用其来检测不可信数据是否真的是一个URL:
String userProvidedURL = request.getParameter(“userProvidedURL”);
boolean isValidURL = ESAPI.validator().isValidInput
(“URLContext”, userProvidedURL, “URL”, 255, false);
if (isValidURL)
{<a href=”<%= encoder.encodeForHTMLAttribute(userProvidedURL) %>”>
</a>}
html过滤:
public string wipescript(string html)
{System.Text.RegularExpressions.Regex regex1 = new System.Text.RegularExpressions.Regex(@"<script[\s\s]+</script *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
System.Text.RegularExpressions.Regex regex2 = new System.Text.RegularExpressions.Regex(@" href *= *[\s\s]*script *:", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
System.Text.RegularExpressions.Regex regex3 = new System.Text.RegularExpressions.Regex(@" on[\s\s]*=", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
System.Text.RegularExpressions.Regex regex4 = new System.Text.RegularExpressions.Regex(@"<iframe[\s\s]+</iframe *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
System.Text.RegularExpressions.Regex regex5 = new System.Text.RegularExpressions.Regex(@"<frameset[\s\s]+</frameset *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
html = regex1.Replace(html, ""); //过滤<script></script>标记
html = regex2.Replace(html, ""); //过滤href=javascript: (<a>) 属性
html = regex3.Replace(html, " _disibledevent="); //过滤其它控件的on...事件
html = regex4.Replace(html, ""); //过滤iframe
html = regex5.Replace(html, ""); //过滤frameset
return html;
}
......