什么是XSS攻击?
XSS攻击使用Javascript脚本注入进行攻击
例如在表单中注入: <script>location.href='http://www.itmayiedu.com'</script>
注意:谷歌浏览器 已经防止了XSS攻击,为了演示效果,最好使用火狐浏览器
解决方案?
使用Fileter过滤器过滤注入标签(将表单中的代码转义成HTML代码)
XSSFilter
public class XssFiterimplements Filter {
public void init(FilterConfigfilterConfig)throws ServletException {
}
public void doFilter(ServletRequestrequest, ServletResponseresponse, FilterChainchain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
XssAndSqlHttpServletRequestWrapper xssRequestWrapper =new XssAndSqlHttpServletRequestWrapper(req);
chain.doFilter(xssRequestWrapper,response);
}
public void destroy() {
}
}
XssAndSqlHttpServletRequestWrapper
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
/**
* 防止XSS攻击
*/
public class XssAndSqlHttpServletRequestWrapperextends HttpServletRequestWrapper {
HttpServletRequest request;
public XssAndSqlHttpServletRequestWrapper(HttpServletRequestrequest) {
super(request);
this.request =request;
}
@Override
public String getParameter(Stringname) {
String value =request.getParameter(name);
System.out.println("name:" +name + "," + value);
if (!StringUtils.isEmpty(value)) {
// 转换Html
value = StringEscapeUtils.escapeHtml4(value);
}
return value;
}
}
本节课用到maven坐标
<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.4</version>
</dependency>