antisamy的配置以及使用实现XSS防御

一、maven、antisamy介绍以及XSS：

  antisamy是owasp的开源项目，它用来确保用户输入的HTML/CSS符合应用规范的API，可以有效防止xss攻击。它提供了用于验证用户输入的富文本以防御跨站脚本的API，适用于java编写的web项目。它提供了一些标准策略文件，根据自己产品的实际需求，在此基础上配置一份适合自己产品的策略文件。

具体参考

http://anquan.163.com/module/pedia/article-00016.html

二、所需的相关文件：

三、antisamy在eclipse的配置

   

注意Tomcat应用服务器的安装。具体详见 http://jingyan.baidu.com/article/3065b3b6efa9d7becff8a4c6.html

、

转换为maven项目后发现在Libraries下为发现maven的下拉菜单，如下图所示：

解决方法：

修改pom.xml中的代码，即增加以下代码：

     <dependencies>
        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.12</version>
        </dependency>
        <dependency>
            <groupId>org.owasp.antisamy</groupId>
            <artifactId>antisamy</artifactId>
            <version>1.5.3</version>
        </dependency>
    </dependencies>

保存后刷新项目即可以看到maven下出现了相关的jar文件，即已经将该jar包进行了下载，而不需要自己在下载在加入path路径：

此时，即将maven和antisamy配置完成。

整体截图：

pom.xml代码：

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>webTest</groupId>
  <artifactId>webTest</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  <packaging>war</packaging>
  <build>
    <sourceDirectory>src</sourceDirectory>
    <resources>
      <resource>
        <directory>src</directory>
        <excludes>
          <exclude>**/*.java</exclude>
        </excludes>
      </resource>
    </resources>
    <plugins>
      <plugin>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.3</version>
        <configuration>
          <source>1.8</source>
          <target>1.8</target>
        </configuration>
      </plugin>
      <plugin>
        <artifactId>maven-war-plugin</artifactId>
        <version>2.6</version>
        <configuration>
          <warSourceDirectory>WebContent</warSourceDirectory>
          <failOnMissingWebXml>false</failOnMissingWebXml>
        </configuration>
      </plugin>
    </plugins>
   </build>
	<dependencies>
		<dependency>
			<groupId>log4j</groupId>
			<artifactId>log4j</artifactId>
			<version>1.2.12</version>
		</dependency>
		<dependency>
			<groupId>org.owasp.antisamy</groupId>
			<artifactId>antisamy</artifactId>
			<version>1.5.3</version>
		</dependency>
	</dependencies>
</project>

增加了以下代码：

四、tomcat安装

这里依赖于【eclipse创建javaweb项目的环境配置】

具体参见http://blog.csdn.net/redarmy_chen/article/details/7048317

也可以参照以下链接安装和部署：

http://jingyan.baidu.com/article/3065b3b6efa9d7becff8a4c6.html

需要注意的是在添加目录时要采用英文名。

五、代码

XssFilter.java代码如下：（注意代码的包的）

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter {  
@SuppressWarnings("unused")  
private FilterConfig filterConfig;  
public void destroy() {  
    this.filterConfig = null;  
}  
public void doFilter(ServletRequest request, ServletResponse response,  
        FilterChain chain) throws IOException, ServletException {  
    chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);  
}  
public void init(FilterConfig filterConfig) throws ServletException {  
    this.filterConfig = filterConfig;  
}     
} 

相关代码的注释可以参见：

http://blog.csdn.net/goskalrie/article/details/51350736

RequestWrapper.java代码：

import java.util.Iterator;
import java.util.Map;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;

public class RequestWrapper extends HttpServletRequestWrapper {

	public RequestWrapper(HttpServletRequest request) {
		super(request);
	}
	
	@SuppressWarnings({ "rawtypes", "unchecked" })
	public Map<String,String[]> getParameterMap(){
		Map<String,String[]> request_map = super.getParameterMap();
		Iterator iterator = request_map.entrySet().iterator();
		while(iterator.hasNext()){
			Map.Entry me = (Map.Entry)iterator.next();
			//System.out.println(me.getKey()+":");
			String[] values = (String[])me.getValue();
			for(int i = 0 ; i < values.length ; i++){
				System.out.println(values[i]);
				values[i] = xssClean(values[i]);
			}
		}
		return request_map;
	}
	
	@SuppressWarnings({ "rawtypes", "unchecked" })
	public String getParameter(String name) {
		String v=super.getParameter(name);
		if(v==null)
			return null;
		return xssClean(v);
	}
	
	@SuppressWarnings({ "rawtypes", "unchecked" })
	public String[] getParameterValues(String name) {
		String[] v=super.getParameterValues(name);
		if(v==null || v.length==0)
			return v;
		for(int i=0;i<v.length;i++){
				v[i]=xssClean(v[i]);
		}
		return v;
	}

	private String xssClean(String value) {
        AntiSamy antiSamy = new AntiSamy();
        try {
        	Policy policy = Policy.getInstance("/antisamy-slashdot.xml");
        	//CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath); 
            final CleanResults cr = antiSamy.scan(value, policy);
            //瀹夊叏鐨凥TML杈撳嚭
            
            System.out.println("clean:"+cr.getCleanHTML());
            
            return cr.getCleanHTML();
        } catch (ScanException e) {
            e.printStackTrace();
        } catch (PolicyException e) {
            e.printStackTrace();
        }
        return value;
	}
}

web.xml代码：

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://java.sun.com/xml/ns/javaee"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
	id="WebApp_ID" version="2.5">
	<display-name>sdl</display-name>
	<!-- XSS -->
	<filter>
		<filter-name>XSS</filter-name>
		<filter-class>XssFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>XSS</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.jsp</welcome-file>
		<welcome-file>default.html</welcome-file>
		<welcome-file>default.htm</welcome-file>
		<welcome-file>default.jsp</welcome-file>
	</welcome-file-list>
</web-app>

六、验证

htmlTest.html代码

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
<form action="main.jsp" method="POST">
First Name: <input type="text" name="first_name">
<br />
Last Name: <input type="text" name="last_name" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

如下所示：

main.jsp代码：

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<center>
<h1>Using GET Method to Read Form Data</h1>
<ul>
<li><p><b>First Name:</b>
   <%= request.getParameter("first_name")%>
</p></li>
<li><p><b>Last  Name:</b>
   <%= request.getParameter("last_name")%>
</p></li>
</ul>
</body>
</html>

如下所示：