XssHttpServletRequestWrapper过滤器

XssHttpServletRequestWrapper过滤器   先定义需要过滤的变量如下:

private static final String EVENTS = "((?i)onclick|oncontextmenu|ondblclick|onmousedown|onmouseenter|onmouseleave|" +
            "onmousemove|onmouseover|onmouseout|onmouseup|onkeydown|onkeypress|onkeyup|onabort|onbeforeunload|onerror|" +
            "onhashchange|onload|onpageshow|onpagehide|onresize|onscroll|onunload|onblur|onchange|onfocus|onfocusin|" +
            "onfocusout|oninput|onreset|onsearch|onselect|onsubmit|oncopy|oncut|onpaste|onafterprint|onbeforeprint|" +
            "ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onabort|oncanplay|oncanplaythrough|" +
            "ondurationchange|onemptied|onended|onerror|onloadeddata|onloadedmetadata|onloadstart|onpause|onplay|" +
            "onplaying|onprogress|onratechange|onseeked|onseeking|onstalled|onsuspend|ontimeupdate|onvolumechange|" +
            "onwaiting|animationend|animationiteration|animationstart|transitionend|onmessage|onmousewheel|ononline|" +
            "onoffline|onpopstate|onshow|onstorage|ontoggle|onwheel|CAPTURING-PHASE|AT-TARGET|BUBBLING-PHASE|bubbles|" +
            "cancelable|currentTarget|eventPhase|timeStamp|initEvent|preventDefault|stopPropagation|" +
            "addEventListener|dispatchEvent|removeEventListener|handleEvent|createEvent|altKey|clientX|clientY|" +
            "ctrlKey|charCode|keyCode|metaKey|relatedTarget|screenX|screenY|shiftKey|initMouseEvent|" +
            "initKeyboardEvent)";
    private static final String XSS_HTML_TAG = "(src=\"javascript:)|(%3c/frame)|(%3cframe)|(%3c/iframe)|(%3ciframe)|(%3c/script)|(%3cscript)|(set-cookie)|(</frame)|(<frame)|(</iframe)|(<iframe)|(</script)|(<script)|(/%3e)|(%3c/)|(%3e)|(%3c)|(/>)|(</)|(%3c/body)|(%3cbody)|(</body)|(<body)|(%3C)|(%3E)+";
    private static final String XSS_INJECTION = "(('\">)|(%27\"><script>)|(%27\">)|(\"><script>)|(\"<)|(%22%20)|(%22\\s)|('%22)|(%22\\+))\\w.*|(\\s|%20)" + EVENTS
            + ".*|(%3D)|(%7C)";
    private static final String XSS_REGEX = XSS_HTML_TAG + "|" + XSS_INJECTION;
    private static final String SQL_REGEX = "('.+--)|(--)|(\\|)|(%7C)";

涉及到的过滤方法

 public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        orgRequest = request;
    }

    /**
     * 覆盖getParameter方法,将参数名和参数值都做xss过滤。
     * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取
     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
     */
    @Override
    public String getParameter(String name) {
        String value = super.getParameter(xssEncode(name));
        if (value != null) {
            value = URLDecoder.decode(value.replace("+", "%2B"));
            value = HTMLEncode(value);
            value = xssEncode(value);
        }
        return value;
    }
    /**
     * 覆盖getHeader方法,将参数名和参数值都做xss过滤。 如果需要获得原始的值,则通过super.getHeaders(name)来获取
     * getHeaderNames 也可能需要覆盖
     */
    @Override
    public String getHeader(String name) {

        String value = super.getHeader(xssEncode(name));
        if (value != null) {
            value = URLDecoder.decode(value.replace("+", "%2B"));
            value = HTMLEncode(value);
            value = xssEncode(value);
        }
        return value;
    }

    /**
     * 获取request的属性时,做xss过滤
     */
    @Override
    public Object getAttribute(String name) {
        Object value = super.getAttribute(name);
        if (null != value && value instanceof String) {
            value = URLDecoder.decode(String.valueOf(value).replace("+", "%2B"));
            value = HTMLEncode((String) value);
            value = xssEncode((String) value);
        }
        return value;
    }

 

/**
     * 对一些特殊字符进行转义
     */
    public static String HTMLEncode(String aText) {
        aText = aText.replaceAll(XSS_REGEX, "");
        aText = aText.replaceAll(SQL_REGEX, "");
        final StringBuilder result = new StringBuilder();
        final StringCharacterIterator iterator = new StringCharacterIterator(aText);
        char character = iterator.current();
        while (character != CharacterIterator.DONE) {
            if (character == '<') {
                result.append("&lt;");
            } else if (character == '>') {
                result.append("&gt;");
            } else if (character == '&') {
                result.append("&amp;");
            } else if (character == '\"') {
                result.append("&quot;");
            } else if (character == '\'') {
                result.append("&apos;");
            } else {
                result.append(character);
            }
            character = iterator.next();
        }
        return result.toString();
    }

    public String escape(String s) {
        StringBuilder sb = new StringBuilder(s.length() + 16);
        for (int i = 0; i < s.length(); i++) {
            char c = s.charAt(i);
            switch (c) {
                case '>':
                    sb.append('>');// 全角大于号
                    break;
                case '<':
                    sb.append('<');// 全角小于号
                    break;
                case '\'':
                    sb.append('‘');// 全角单引号
                    break;
                case '\"':
                    sb.append('“');// 全角双引号
                    break;
                case '\\':
                    sb.append('\');// 全角斜线
                    break;
                case '%':
                    sb.append('%'); // 全角冒号
                    break;
                default:
                    sb.append(c);
                    break;
            }

        }
        return sb.toString();
    }


    /**
     * 将容易引起xss漏洞的半角字符直接替换成全角字符
     *
     * @param s
     * @return
     */
    public String xssEncode(String s) {
        if (s == null || s.isEmpty()) {
            return s;
        }

        String result = stripXSS(s);
        if (null != result) {
            result = escape(result);
        }

        return result;
    }

    private String stripXSS(String value) {
        if (value != null) {
            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
            // avoid encoded attacks.
            // value = ESAPI.encoder().canonicalize(value);
            // Avoid null characters
            value = value.replaceAll("", "");
            // Avoid anything between script tags
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid anything in a src='...' type of expression
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // Remove any lonesome </script> tag
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid eval(...) expressions
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid expression(...) expressions
            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid javascript:... expressions
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid vbscript:... expressions
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Avoid onload= expressions
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("<iframe>(.*?)</iframe>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = Pattern.compile("</iframe>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // Remove any lonesome <script ...> tag
            scriptPattern = Pattern.compile("<iframe(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值