1. 自己写 filter 拦截来实现,但要注意的时,在WEB.XML 中配置 filter 的时候,请将这个 filter 放在第一位.
2. 采用开源的实现 ESAPI library ,参考网址: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
3. 可以采用spring 里面提供的工具类来实现.
一, 第一种方法。
web.xml文件Filter配置
XssFilter
新编写XssFilter路径
XssFilter
/*
编写Filter过滤器
public class XSSFilter implementsFilter {
@Overridepublic void init(FilterConfig filterConfig) throwsServletException {
}
@Overridepublic voiddestroy() {
}
@Overridepublic voiddoFilter(ServletRequest request, ServletResponse response, FilterChain chain)throwsIOException, ServletException {
chain.doFilter(newXSSRequestWrapper((HttpServletRequest) request), response);
}
}
再实现 ServletRequest 的包装类
importjava.util.regex.Pattern;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletRequestWrapper;public class XSSRequestWrapper extendsHttpServletRequestWrapper {publicXSSRequestWrapper(HttpServletRequest servletRequest) {super(servletRequest);
}
@OverridepublicString[] getParameterValues(String parameter) {
String[] values= super.getParameterValues(parameter);if (values == null) {return null;
}int count =values.length;
String[] encodedValues= newString[count];for (int i = 0; i < count; i++) {
encodedValues[i]=stripXSS(values[i]);
}returnencodedValues;
}
@OverridepublicString getParameter(String parameter) {
String value= super.getParameter(parameter);returnstripXSS(value);
}
@OverridepublicString getHeader(String name) {
String value= super.getHeader(name);returnstripXSS(value);
}privateString stripXSS(String value) {if (value != null) {//NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to//avoid encoded attacks.//value = ESAPI.encoder().canonicalize(value);//Avoid null characters
value = value.replaceAll("", "");//Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
value= scriptPattern.matcher(value).replaceAll("");//Avoid anything in a src="..." type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");
scriptPattern= Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//Remove any lonesome tag
scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
value= scriptPattern.matcher(value).replaceAll("");//Remove any lonesome
scriptPattern = Pattern.compile("
value= scriptPattern.matcher(value).replaceAll("");//Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value= scriptPattern.matcher(value).replaceAll("");//Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value= scriptPattern.matcher(value).replaceAll("");//Avoid οnlοad= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");
}returnvalue;
}
}
例子中注释的部分,就是采用 ESAPI library 来防止XSS攻击的,推荐使用.
当然,我还看到这样一种办法,将所有的编程全角字符的解决方式,但个人觉得并没有上面这种用正则表达式替换的好
private staticString xssEncode(String s) {if (s == null || s.equals("")) {returns;
}
StringBuilder sb= new StringBuilder(s.length() + 16);for (int i = 0; i < s.length(); i++) {char c =s.charAt(i);switch(c) {case '>':
sb.append('>');//全角大于号
break;case '<':
sb.append('<');//全角小于号
break;case '\'':
sb.append('\\');
sb.append('\'');
sb.append('\\');
sb.append('\'');break;case '\"':
sb.append('\\');
sb.append('\"');//全角双引号
break;case '&':
sb.append('&');//全角
break;case '\\':
sb.append('\');//全角斜线
break;case '#':
sb.append('#');//全角井号
break;case ':':
sb.append(':');//全角冒号
break;case '%':
sb.append("\\\\%");break;default:
sb.append(c);break;
}
}returnsb.toString();
}
当然,还有如下更简单的方式:
privateString cleanXSS(String value) {//You'll need to remove the spaces from the html entities below
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value= value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value= value.replaceAll("'", "& #39;");
value= value.replaceAll("eval\\((.*)\\)", "");
value= value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value= value.replaceAll("script", "");returnvalue;
}
在后台或者用spring 如何实现呢:
首先添加一个jar包:commons-lang-2.5.jar ,然后在后台调用这些函数:
StringEscapeUtils.escapeHtml(string);
StringEscapeUtils.escapeJavaScript(string);
StringEscapeUtils.escapeSql(string);
版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/liaozhongping/article/details/48649389