项目安全检测出现 “跨站点脚本编制” 的问题,以下解决方法是网上搜索整理。
用过滤器过滤所有url
1.过滤器
@Slf4j
@WebFilter(filterName = "urlFilter", urlPatterns = "/*")
public class webFilter implements Filter {
/**
*
* @param filterConfig The configuration information associated with the
* filter instance being initialised
* @throws ServletException if the initialisation fails
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
/**
* @param request The request to process
* @param response The response associated with the request
* @param chain Provides access to the next filter in the chain for this
* filter to pass the request and response to for further
* processing
* @throws IOException if an I/O error occurs during this filter's
* processing of the request
* @throws ServletException if the processing fails for any other reason
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
//if 里面的内容与解决方案无关 可以删除
if(request instanceof HttpServletRequest){
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
String origin = ((HttpServletRequest) request).getHeader("Origin");
httpServletResponse.setHeader("Access-Control-Allow-Origin", origin);
httpServletResponse.setHeader("Access-Control-Allow-Methods","POST, GET");//允许跨域的请求方式
httpServletResponse.setHeader("Access-Control-Max-Age", "3600");//预检请求的间隔时间
httpServletResponse.setHeader("Access-Control-Allow-Headers", "x-auth-token,Origin,Access-Token,X-Requested-With,Content-Type, Accept,token" );//允许跨域请求携带的请求头
httpServletResponse.setHeader("Access-Control-Allow-Credentials","false");//若要返回cookie、携带seesion等信息则将此项设置我true
httpServletResponse.setHeader("strict-transport-security","max-age=16070400; includeSubDomains");//简称为HSTS。它允许一个HTTPS网站,要求浏览器总是通过HTTPS来访问它
//httpServletResponse.setHeader("Content-Security-Policy", "script-src * 'unsafe-inline'");//这个响应头主要是用来定义页面可以加载哪些资源,减少XSS的发生
httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");//互联网上的资源有各种类型,通常浏览器会根据响应头的Content-Type字段来分辨它们的类型。通过这个响应头可以禁用浏览器的类型猜测行为
httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");//1; mode=block:启用XSS保护,并在检查到XSS攻击时,停止渲染页面
httpServletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");//SAMEORIGIN:不允许被本域以外的页面嵌入
}
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
chain.doFilter(xssRequest,response);
}
/**
*
*/
@Override
public void destroy() {
}
}
2.过滤规则类
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* @param request The request to wrap
* @throws IllegalArgumentException if the request is null
*/
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.getParameterMap();//这里我选择过滤请求的所有参数 如果只过滤特定参数 可选择其他方法
}
/**
* 覆盖getParameter方法,将参数名和参数值都做xss过滤。
* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取
* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] value = super.getParameterValues(name);
if(value != null){
for (int i = 0; i < value.length; i++) {
value[i] = xssEncode(value[i]);
}
}
return value;
}
@Override
public Map getParameterMap() {
// TODO Auto-generated method stub
Map<String , String[]> params = new HashMap<>();
Map map = super.getParameterMap();
params.putAll(map);
Set<String> set = params.keySet();
Iterator<String> it = set.iterator();
while(it.hasNext()){
String key= it.next();
String[] values = params.get(key);
values[0] = xssEncode(values[0]);
params.put(key, values);
}
return params;
}
/**
* 覆盖getHeader方法,将参数名和参数值都做xss过滤。
* 如果需要获得原始的值,则通过super.getHeaders(name)来获取
* getHeaderNames 也可能需要覆盖
* 这一段代码在一开始没有注释掉导致出现406错误,原因是406错误是HTTP协议状态码的一种,
* 表示无法使用请求的内容特性来响应请求的网页。一般是指客户端浏览器不接受所请求页面的 MIME 类型。
*
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
**/
/**
* 将容易引起xss漏洞的半角字符直接替换成全角字符 在保证不删除数据的情况下保存
* @param
* @return 过滤后的值
*/
private static String xssEncode(String value) {
if (value == null || value.isEmpty()) {
return value;
}
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", "");
value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", "");
value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", "");
value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", "");
return value;
}
}
以上方法 我只进行了简单的模拟是可行的 AppScan安全检测能不能通过 我也不知道