1、过滤SQL 、过滤XSS脚本内容
package com.walmart.pricelock.util;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Pattern;
/**
*
* @ClassName: XssUtil
* @Description: XssUtil
* @Date: 2020/11/12 19:43
**/
public class XssUtil {
private static final String STR_SCRIPT1 = "<script>(.*?)</script>";
private static final String STR_SCRIPT2 = "</script>";
private static final String STR_SCRIPT3 = "<script(.*?)>";
private static final String STR_EVAL = "eval\\((.*?)\\)";
private static final String STR_EXP = "expression\\((.*?)\\)";
private static final String STR_JS = "javascript:";
private static final String STR_VB = "vbscript:";
private static final String STR_ON = "onload(.*?)=";
private XssUtil() {
}
/**
* description 过滤XSS脚本内容
*
* @param value 1
* @return java.lang.String
*/
public static String stripXSS(String value) {
String rlt = null;
if (null != value) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
rlt = value.replace("", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile(STR_SCRIPT1, Pattern.CASE_INSENSITIVE);
rlt = scriptPattern.matcher(rlt).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile(STR_SCRIPT2, Pattern.CASE_INSENSITIVE);
rlt = scriptPattern.matcher(rlt).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile(STR_SCRIPT3, Pattern.CASE_INSENSITIVE
| Pattern.MULTILINE | Pattern.DOTALL);
rlt = scriptPattern.matcher(rlt).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile(STR_EVAL, Pattern.CASE_INSENSITIVE
| Pattern.MULTILINE | Pattern.DOTALL);
rlt = scriptPattern.matcher(rlt).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile(STR_EXP, Pattern.CASE_INSENSITIVE
| Pattern.MULTILINE | Pattern.DOTALL);
rlt = scriptPattern.matcher(rlt).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile(STR_JS, Pattern.CASE_INSENSITIVE);
rlt = scriptPattern.matcher(rlt).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile(STR_VB, Pattern.CASE_INSENSITIVE);
rlt = scriptPattern.matcher(rlt).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile(STR_ON, Pattern.CASE_INSENSITIVE
| Pattern.MULTILINE | Pattern.DOTALL);
rlt = scriptPattern.matcher(rlt).replaceAll("");
}
return rlt;
}
/**
* description 过滤SQL注入内容
*
* @param value 1
* @return java.lang.String
*/
public static String stripSqlInjection(String value) {
return (null == value) ? null : value.replaceAll("('.+--)|(--)|(%7C)", "");
}
/**
* description 过滤SQL 和 XSS注入内容
*
* @param value 1
* @return java.lang.String
*/
public static String stripSqlXss(String value) {
return stripXSS(stripSqlInjection(value));
}
/**
* xss map 过滤
* @param map
* @return
*/
public static Map<String,String> checkMap(Map<String, String> map){
Map<String, String> tempMap = new HashMap<>();
for (Map.Entry<String, String> entry : map.entrySet()) {
tempMap.put(entry.getKey(), stripXSS(entry.getValue()));
}
return tempMap;
}
}