http://www.it165.net/safe/html/201306/655.html
XSS又叫CSS (CrossSite Script) ,跨站脚本攻击。它指的是恶意攻击者往Web页面里插入恶意html代码,当用户浏览该页之时,嵌入其中Web里面的html代码会被执行,从而达到恶意攻击用户的特殊目的。XSS属于被动式的攻击,因为其被动且不好利用,所以许多人常呼略其危害性.
我们这里只是一个简单的例子,不全,我们在springmvc中做一个小的demo,
1.web.xml配置过滤器
01.
<!-- XSS过滤器 -->
02.
<
filter
>
03.
<
filter-name
>XSSFilter</
filter-name
>
04.
<
filter-class
>
05.
com.hanchao.filter.XssCheckFilter
06.
</
filter-class
>
07.
<
init-param
>
08.
<
param-name
>errorPath</
param-name
>
09.
<
param-value
>/views/error.<
a
href
=
"http://www.it165.net/pro/webjsp/"
target
=
"_blank"
class
=
"keylink"
>jsp</
a
></
param-value
>
10.
</
init-param
>
11.
<
init-param
>
12.
<
param-name
>excludePaths</
param-name
>
13.
<
param-value
>/login</
param-value
>
14.
</
init-param
>
15.
</
filter
>
16.
<
filter-mapping
>
17.
<
filter-name
>XSSFilter</
filter-name
>
18.
<
url-pattern
>/*</
url-pattern
>
19.
</
filter-mapping
>
2.过滤器代码:
001.
package
com.kongzhong.passport.filter;
002.
import
java.io.IOException;
003.
import
java.util.Enumeration;
004.
import
javax.servlet.Filter;
005.
import
javax.servlet.FilterChain;
006.
import
javax.servlet.FilterConfig;
007.
import
javax.servlet.ServletException;
008.
import
javax.servlet.ServletRequest;
009.
import
javax.servlet.ServletResponse;
010.
import
javax.servlet.http.HttpServletRequest;
011.
import
javax.servlet.http.HttpServletResponse;
012.
import
com.kongzhong.base.util.KzStringUtil;
013.
public
class
XSSCheckFilter
implements
Filter {
014.
private
FilterConfig config;
015.
private
static
String errorPath;
//出错跳转的目的地
016.
private
static
String[] excludePaths;
//不进行拦截的url
017.
private
static
String[] safeless = {
"<script"
,
//需要拦截的JS字符关键字
018.
"</script"
,
019.
"<iframe"
,
020.
"</iframe"
,
021.
"<frame"
,
022.
"</frame"
,
023.
"set-cookie"
,
024.
"%3cscript"
,
025.
"%3c/script"
,
026.
"%3ciframe"
,
027.
"%3c/iframe"
,
028.
"%3cframe"
,
029.
"%3c/frame"
,
030.
"src=\"javascript:"
,
031.
"<body"
,
032.
"</body"
,
033.
"%3cbody"
,
034.
"%3c/body"
,
035.
//"<",
036.
//">",
037.
//"</",
038.
//"/>",
039.
//"%3c",
040.
//"%3e",
041.
//"%3c/",
042.
//"/%3e"
043.
};
044.
public
void
doFilter(ServletRequest req, ServletResponse resp,
045.
FilterChain filterChain)
throws
IOException, ServletException {
046.
Enumeration params = req.getParameterNames();
047.
HttpServletRequest request = (HttpServletRequest) req;
048.
HttpServletResponse response = (HttpServletResponse) resp;
049.
//String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + "/";
050.
051.
boolean
isSafe =
true
;
052.
String requestUrl = request.getRequestURI();
053.
//String queryUrl = request.getQueryString();
054.
//System.out.println("params:" + params + " , requestUrl:" + requestUrl + " , queryUrl" + queryUrl);
055.
if
(isSafe(requestUrl)) {
056.
requestUrl = requestUrl.substring(requestUrl.indexOf(
"/"
));
057.
if
(!excludeUrl(requestUrl)) {
058.
while
(params.hasMoreElements()) {
059.
String cache = req.getParameter((String) params.nextElement());
060.
if
(KzStringUtil.isNotBlank(cache)) {
061.
if
(!isSafe(cache)) {
062.
isSafe =
false
;
063.
break
;
064.
}
065.
}
066.
}
067.
}
068.
}
else
{
069.
isSafe =
false
;
070.
}
071.
072.
if
(!isSafe) {
073.
request.setAttribute(
"err"
,
"您输入的参数有非法字符,请输入正确的参数!"
);
074.
request.getRequestDispatcher(errorPath).forward(request, response);
075.
return
;
076.
}
077.
filterChain.doFilter(req, resp);
078.
}
079.
private
static
boolean
isSafe(String str) {
080.
if
(KzStringUtil.isNotBlank(str)) {
081.
for
(String s : safeless) {
082.
if
(str.toLowerCase().contains(s)) {
083.
return
false
;
084.
}
085.
}
086.
}
087.
return
true
;
088.
}
089.
090.
private
boolean
excludeUrl(String url) {
091.
if
(excludePaths !=
null
&& excludePaths.length >
0
) {
092.
for
(String path : excludePaths) {
093.
if
(url.toLowerCase().equals(path)) {
094.
return
true
;
095.
}
096.
}
097.
}
098.
return
false
;
099.
}
100.
101.
public
void
destroy() {
102.
}
103.
public
void
init(FilterConfig config)
throws
ServletException {
104.
this
.config = config;
105.
errorPath = config.getInitParameter(
"errorPath"
);
106.
String excludePath = config.getInitParameter(
"excludePaths"
);
107.
if
(KzStringUtil.isNotBlank(excludePath)) {
108.
excludePaths = excludePath.split(
","
);
109.
}
110.
}
111.
}