xss是钓鱼网站常用的方式,具体就是在提交的表单中加入脚本,数据在回显时浏览器执行了脚本,
具体的脚本可以是获取cookie,或者跳转至钓鱼网站;
解决方法,通过过滤器,将<>转义
新建filter实现类;
package com.group.local.filter;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* @author: zph
* @data: 2018/10/22 21:00
*/
public class FilterXss implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
XssHttpServerRequest xssHttpServerRequest = new XssHttpServerRequest(req);
filterChain.doFilter(xssHttpServerRequest,servletResponse);
}
@Override
public void destroy() {
}
}
装饰器模式改变request值
package com.group.local.filter;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* @author: zph
* @data: 2018/10/22 21:03
*/
public class XssHttpServerRequest extends HttpServletRequestWrapper {
private HttpServletRequest request;
public XssHttpServerRequest(HttpServletRequest request) {
super(request);
this.request=request;
}
@Override
public String getParameter(String name) {
String value=request.getParameter(name);
if(StringUtils.isNotEmpty(value)){
//
value=StringEscapeUtils.escapeHtml4(value);
}
return value;
}
}
web.xml中增加过滤
<filter>
<filter-name>FilterXss</filter-name>
<filter-class>com.group.local.filter.FilterXss</filter-class>
</filter>
<filter-mapping>
<filter-name>FilterXss</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>