xss防御:
1、尽量少将域名的domain设为域名的根下面,减少分站xss漏洞对主站的影响;
2、对输入的数据进行过滤检查:
- public static String htmlSpecialChars(final String s) {
- String result = s;
- result = regexReplace("&", "&", result);
- result = regexReplace("\"", """, result);
- result = regexReplace("<", "<", result);
- result = regexReplace(">", ">", result);
- return result;
- }
注意:CSS的行为方式也会有JavaScript的执行:
<style type="text/css" >
#content { height: expression(alert('test xss') ); }
</style>
如果要支持html可以使用这个过滤器(附件,开源的)
- 例子
- {
- final ArrayList<Attribute> span_atts = new ArrayList<Attribute>();
- Map<String, Pattern> allowedAttrValues = new HashMap<String, Pattern>();
- allowedAttrValues.put(“color”, Pattern.compile(“(#([0-9a-fA-F]{6}|[0-9a-fA-F]{3}))”));
- allowedAttrValues.put(“font-weight”, Pattern.compile(“bold”));
- allowedAttrValues.put(“text-align”, Pattern.compile(“(center|right|justify)”));
- allowedAttrValues.put(“font-style”, Pattern.compile(“italic”));
- allowedAttrValues.put(“text-decoration”, Pattern.compile(“underline”));
- allowedAttrValues.put(“margin-left”, Pattern.compile(“[0-9]+px”));
- allowedAttrValues.put(“text-align”, Pattern.compile(“center”));
- span_atts.add(new Attribute(“style”, allowedAttrValues));
- vAllowed.put(“span”, span_atts);
- }
- {
- final ArrayList<Attribute> div_atts = new ArrayList<Attribute>();
- div_atts.add(new Attribute(“class”));
- div_atts.add(new Attribute(“align”));
- vAllowed.put(“div”, div_atts);
- }
- * 2. 调用类似这样的函数String outHtml = HetaoBlogXssHTMLFilter.filter(sourceHtmlString);
3、针对图片的上传需要检测是否是正确的图片格式是否是伪格式 ,图片服务器尽量不开启程序(java,php,.net)功能或对图片格式不做程序解析;
防御CSRF:
在Web应用程序侧防御CSRF漏洞,一般都是利用referer判断输入端的url来源、或使用token或者使用JavaScript看不见的验证码;
转载于:https://blog.51cto.com/linxucn/704256