java 防止 XSS 攻击的常用方法总结

项目中遇到的关于XSS注入：查阅资料如下：

Java 今天要记录的 XSS 攻击， XSS 攻击的专业解释，可以在网上搜索一下，参考百度百科的解释 http://baike.baidu.com/view/2161269.htm, 但在实际的应用中如何去防止这种攻击呢，下面给出几种办法.

1. 自己写 filter 拦截来实现，但要注意的时，在WEB.XML 中配置 filter 的时候，请将这个 filter 放在第一位.

2. 采用开源的实现 ESAPI library ，参考网址: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

3. 可以采用spring 里面提供的工具类来实现.

一， 第一种方法。
配置过滤器
public class XSSFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
}
}

再实现 ServletRequest 的包装类
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]);
}
return encodedValues;
}
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return stripXSS(value);
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value);
}
private String stripXSS(String value) {
if (value != null) {
// NOTE: It’s highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("", “”);
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script …> tag
scriptPattern = Pattern.compile("<script(.?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(…) e­xpressions
scriptPattern = Pattern.compile(“eval\((.?)\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid e­xpression(…) e­xpressions
scriptPattern = Pattern.compile("e­xpression\((.?)\)”, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:… e­xpressions
scriptPattern = Pattern.compile(“javascript:”, Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:… e­xpressions
scriptPattern = Pattern.compile(“vbscript:”, Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid οnlοad= e­xpressions
scriptPattern = Pattern.compile(“onload(.*?)=”, Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
}

例子中注释的部分，就是采用 ESAPI library 来防止XSS攻击的，推荐使用.

当然，我还看到这样一种办法，将所有的编程全角字符的解决方式，但个人觉得并没有上面这种用正则表达式替换的好

private static String xssEncode(String s) {
if (s == null || s.equals("")) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch © {
case ‘>’:
sb.append(‘＞’);// 全角大于号
break;
case ‘<’:
sb.append(‘＜’);// 全角小于号
break;
case ‘’’:
sb.append(’\’);
sb.append(’’’);
sb.append(’\’);
sb.append(’’’);
break;
case ‘"’:
sb.append(’\’);
sb.append(’"’);// 全角双引号
break;
case ‘&’:
sb.append(’＆’);// 全角
break;
case ‘\’:
sb.append(’＼’);// 全角斜线
break;
case ‘#’:
sb.append(’＃’);// 全角井号
break;
case ‘:’:
sb.append(’：’);// 全角冒号
break;
case ‘%’:
sb.append("\\%");
break;
default:
sb.append©;
break;
}
}
return sb.toString();
}

当然，还有如下更简单的方式:
private String cleanXSS(String value) {
//You’ll need to remove the spaces from the html entities below
value = value.replaceAll("<", “& lt;”).replaceAll(">", “& gt;”);
value = value.replaceAll("\(", “& #40;”).replaceAll("\)", “& #41;”);
value = value.replaceAll("’", “& #39;”);
value = value.replaceAll(“eval\((.*)\)”, “”);
value = value.replaceAll("[\"\’][\s]javascript:(.)[\"\’]", “”"");
value = value.replaceAll(“script”, “”);
return value;
}

在后台或者用spring 如何实现呢:
首先添加一个jar包：commons-lang-2.5.jar ，然后在后台调用这些函数：
StringEscapeUtils.escapeHtml(string);
StringEscapeUtils.escapeJavaScript(string);
StringEscapeUtils.escapeSql(string);

原文链接：侵删 http://ju.outofmemory.cn/entry/54043