spring mvc防js注入

最新推荐文章于 2021-02-25 04:13:52 发布

java的爪哇

最新推荐文章于 2021-02-25 04:13:52 发布

阅读量3.5k

点赞数 1

分类专栏： js

本文链接：https://blog.csdn.net/liangrui1988/article/details/44711501

版权

js 专栏收录该内容

11 篇文章 0 订阅

订阅专栏

如果有人利用js 注入。可以做很多可怕的事，一个有经验的程序员不得不防呀!

方式一直接在js里把符号转义就可以了，简单实用！

<%@ page language="java" contentType="text/html; charset=UTF-8"
	pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
<script type="text/javascript"
	src="${pageContext.request.contextPath}/res/js/jquery-1.8.0.min.js"></script>
</head>
<body>
	<h2>登陆成功</h2>
	<textarea rows="10" cols="20" id="xxx"></textarea>

<input id="testc" type="button" value="注入js">


<input id="testc2" type="button" value="干掉注入">

<script type="text/javascript">
$("#testc").click(function(){
	$.post("${pageContext.request.contextPath}/user/gethh.htm",{"param":"<script>alert('注入成功!');<\/script>"},
		function(data){
		
		//unescape(data.usrename);
		  $("#xxx").html(unescape(data.usrename));
		});	
	}); 
	
$("#testc2").click(function(){
	$.post("${pageContext.request.contextPath}/user/gethh.htm",{"param":"<script>alert('注入成功!');<\/script>"},
		function(data){
		var newHtml=data.usrename.replace("<","<").replace(">",">").replace("\"",""").replace("'","'");
		  $("#xxx").html(newHtml);
		});	
	}); 
	</script>
</body>
</html>

如果想从服务端转义就麻烦点

直接上代码吧！

public User gethh(String param)  我是用这个方法做的测试。。。。

package org.rui.mvc.controller;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.rui.bean.User;
import org.rui.user.service.IUserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
@RequestMapping("user")
public class UserController extends BaseController
{

	Log log = LogFactory.getLog(this.getClass());

	@Autowired
	IUserService userService;

	@RequestMapping("userLogin")
	public String UserLogin(HttpServletRequest req, HttpServletResponse res,
			ModelMap map, User user)
	{
		// User user=new User("admin","admin");
		log.info("--------userLogin execute--------");
		User u = userService.userLong(user);
		if (u != null) {
			System.out.println(u.getUsrename() + ":" + u.getPassword());
			// System.out.println(param);

			map.put("testin", "<script>alert('注入成功!');</script>");
			System.out.println(map.get("testin"));
			return "success";
		} else {
			log.debug("user login fail=====================");
			return "fail";
		}

	}

	@RequestMapping("gethh")
	@ResponseBody
	public User gethh(String param)
	{
		User u = new User();
		u.setUsrename(param);
		//u.setUsrename("<script>alert('注入成功!');</script>");
		return u;
	}

}

package org.rui.mvc.controller;

import org.rui.util.editor.StringEscapeEditor;
import org.springframework.validation.DataBinder;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.InitBinder;


public class BaseController
{

//	@InitBinder
//	public void initBinder(DataBinder binder)
//	{
//		//binder.setValidator(new UserValidator());
//	}
	@InitBinder
	public void webInitBinder(WebDataBinder binder){
		System.out.println("webInitBinder:"+binder.getAllowedFields());
		binder.registerCustomEditor(String.class, new StringEscapeEditor(false, true, false));
	}

}

package org.rui.util.editor;

import java.beans.PropertyEditorSupport;

import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.web.util.HtmlUtils;
import org.springframework.web.util.JavaScriptUtils;
/**
 * 在使用StringEscapeUtils时需要注意escapeHtml和escapeJavascript方法会把中文字符转换成Unicode编码，
 * @author lenovo
 *
 */
public class StringEscapeEditor extends PropertyEditorSupport
{
	private boolean escapeHTML;
	private boolean escapeJavaScript;
	private boolean escapeSQL;

	public StringEscapeEditor()
	{
		super();
	}

	public StringEscapeEditor(boolean escapeHTML, boolean escapeJavaScript,
			boolean escapeSQL)
	{
		super();
		this.escapeHTML = escapeHTML;
		this.escapeJavaScript = escapeJavaScript;
		this.escapeSQL = escapeSQL;
	}

	@Override
	public void setAsText(String text)
	{
		if (text == null) {
			setValue(null);
		} else {
			String value = text;
			System.out.println("value:" + value);
			if (escapeHTML) {
				value = StringEscapeUtils.escapeHtml(value);
				System.out.println("escapeHTMLvalue:" + value);
			}
			if (escapeJavaScript) {
				//value = StringEscapeUtils.escapeJavaScript(value);  奶奶的，乱码 有个屁用 ，自已改了个
				value=JavaScriptEscapeUtils.javaScriptEscape(value);
				System.out.println("escapeJavaScriptvalue:" + value);
			}
			if (escapeSQL) {
				value = StringEscapeUtils.escapeSql(value);
				System.out.println("escapeSQLvalue:" + value);
			}
			System.out.println("end value:" + value);
			setValue(value);
		}
	}

	@Override
	public String getAsText()
	{
		Object value = getValue();
		return value != null ? value.toString() : "";
	}

	public static void main(String[] args)
	{
		String resul = StringEscapeUtils.escapeJavaScript("<script>alert('ok 注入成功!');<\\/script>");
		System.out.println(resul);
		
		String a = "<html>吃饭</html>";
	    System.out.println(StringEscapeUtils.escapeHtml(a));
	    System.out.println(StringEscapeUtils.unescapeHtml(StringEscapeUtils.escapeHtml(a)));
	    System.out.println(HtmlUtils.htmlEscape(a));
	    System.out.println(HtmlUtils.htmlUnescape(HtmlUtils.htmlEscape(a)));
	    
	    String scr="<script>alert('ok 注入成功!');<\\/script>";
	    System.out.println(JavaScriptEscapeUtils.javaScriptEscape(scr));
	    
	  
	    
	}
}

package org.rui.util.editor;

public class JavaScriptEscapeUtils
{
	/**
	 * Turn JavaScript special characters into escaped characters.
	 *
	 * @param input
	 *            the input string
	 * @return the string with escaped characters
	 */
	public static String javaScriptEscape(String input)
	{
		if (input == null) {
			return input;
		}

		StringBuilder filtered = new StringBuilder(input.length());
		//char prevChar = ' ';
		char c;
		for (int i = 0; i < input.length(); i++) {
			c = input.charAt(i);
			if (c == '"') {
				filtered.append(""");
			} else if (c == '\'') {
				filtered.append("'");
			}

			// } else if (c == '\\') {
			// filtered.append("\\\\");
			// } else if (c == '/') {
			// filtered.append("\\/");
			// } else if (c == '\t') {
			// filtered.append("\\t");
			// } else if (c == '\n') {
			// if (prevChar != '\r') {
			// filtered.append("\\n");
			// }
			// } else if (c == '\r') {
			// filtered.append("\\n");
			// } else if (c == '\f') {
			// filtered.append("\\f");
			// } else if (c == '\b') {
			// filtered.append("\\b");
			// }
			// No '\v' in Java, use octal value for VT ascii char
			// else if (c == '\013') {
			// filtered.append("\\v");
			// }
			else if (c == '<') {
				filtered.append("<");
			} else if (c == '>') {
				filtered.append(">");
			}
			// Unicode for PS (line terminator in ECMA-262)
			// else if (c == '\u2028') {
			// filtered.append("\\u2028");
			// }
			// Unicode for LS (line terminator in ECMA-262)
			// else if (c == '\u2029') {
			// filtered.append("\\u2029");
			// }
			else {
				filtered.append(c);
			}
		//	prevChar = c;

		}
		return filtered.toString();
	}

	public static void main(String[] args)
	{
		System.out.println("\u0000");
	}

}