java xss 配置不作用_Spring防止Xss配置

本文介绍了如何在Spring项目中配置和使用XssFilter,通过web.xml和自定义的XssFilter及XssHttpServletRequestWrapperNew类,对HTTP请求的参数和头信息进行XSS过滤,以增强应用程序的安全性。
摘要由CSDN通过智能技术生成

web.xml配置

<!-- xss过滤器 -->

<filter>

<filter-name>XssFilter</filter-name>

<filter-class>com.zyyt.sipctask.common.filter.XssFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>XssFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

XssFilter.java

package com.zyyt.sipctask.common.filter;

import java.io.IOException;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

public class XssFilter implements Filter {

FilterConfig filterConfig = null;

public void init(FilterConfig filterConfig) throws ServletException {

this.filterConfig = filterConfig;

}

public void destroy() {

this.filterConfig = null;

}

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain chain) throws IOException, ServletException {

chain.doFilter(new XssHttpServletRequestWrapperNew(

(HttpServletRequest) request), response);

}

}

XssHttpServletRequestWrapperNew.java

package com.zyyt.sipctask.common.filter;

import java.text.CharacterIterator;

import java.text.StringCharacterIterator;

import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

public class XssHttpServletRequestWrapperNew extends HttpServletRequestWrapper {

HttpServletRequest orgRequest = null;

public XssHttpServletRequestWrapperNew(HttpServletRequest request) {

super(request);

orgRequest = request;

}

/**

* 覆盖getParameter方法,将参数名和参数值都做xss过滤。

* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取

* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖

*/

@Override

public String getParameter(String name) {

String value = super.getParameter(xssEncode(name));

if (value != null) {

value = xssEncode(value);

value = HTMLEncode(value);

}

return value;

}

/**

* spring是使用的getParameterValues方法

*/

@Override

public String[] getParameterValues(String name) {

String[] value = super.getParameterValues(name);

if (value == null) {

return null;

}

for (int i = 0;i < value.length;i++) {

value[i] = xssEncode(value[i]);

value[i] = HTMLEncode(value[i]);

}

return value;

}

/**

* 对一些特殊字符进行转义

*

*

*/

public static String HTMLEncode(String aText) {

final StringBuilder result = new StringBuilder();

final StringCharacterIterator iterator = new StringCharacterIterator(aText);

char character = iterator.current();

while (character != CharacterIterator.DONE) {

if (character == '<') {

result.append("<");

} else if (character == '>') {

result.append(">");

} else if (character == '\"') {

result.append("`");

} else {

// the char is not a special one

// add it to the result as is

result.append(character);

}

character = iterator.next();

}

return result.toString();

}

/**

* 覆盖getHeader方法,将参数名和参数值都做xss过滤。 如果需要获得原始的值,则通过super.getHeaders(name)来获取

* getHeaderNames 也可能需要覆盖

*/

@Override

public String getHeader(String name) {

String value = super.getHeader(xssEncode(name));

if (value != null) {

value = xssEncode(value);

}

return value;

}

/**

* 将容易引起xss漏洞的半角字符直接替换成全角字符

* 目前xssProject对注入代码要求是必须开始标签和结束标签(如<script></script>)正确匹配才能解析,否则报错;因此只能替换调xssProject换为自定义实现

*

* @param s

* @return

*/

private static String xssEncode(String s) {

//

// if (s == null || s.isEmpty()) {

// return s;

// }

//

// StringReader reader = new StringReader(s);

// StringWriter writer = new StringWriter();

// try {

// HTMLParser.process(reader, writer, new XSSFilter(), true);

//

// String result = writer.toString();

//

// System.out.println("xssEncode-------------------------" + s + " = "

// + result);

//

// return result;

// } catch (NullPointerException e) {

// return s;

// } catch (Exception ex) {

// ex.printStackTrace();

// }

//

// return null;

if (s == null || s.isEmpty()) {

return s;

}

String result = stripXSS(s);

if (null != result) {

result = escape(result);

}

return result;

}

public static String escape(String s) {

StringBuilder sb = new StringBuilder(s.length() + 16);

for (int i = 0; i < s.length(); i++) {

char c = s.charAt(i);

switch (c) {

case '>':

sb.append('>');// 全角大于号

break;

case '<':

sb.append('<');// 全角小于号

break;

case '\'':

sb.append('‘');// 全角单引号

break;

case '\"':

sb.append('“');// 全角双引号

break;

case '\\':

sb.append('\');// 全角斜线

break;

case '%':

sb.append('%'); // 全角冒号

break;

default:

sb.append(c);

break;

}

}

return sb.toString();

}

private static String stripXSS(String value) {

if (value != null) {

// NOTE: It's highly recommended to use the ESAPI library and

// uncomment the following line to

// avoid encoded attacks.

// value = ESAPI.encoder().canonicalize(value);

// Avoid null characters

value = value.replaceAll("", "");

// Avoid anything between script tags

Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid anything in a src='...' type of expression

scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// Remove any lonesome </script> tag

scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// Remove any lonesome <script ...> tag

scriptPattern = Pattern.compile("<script(.*?)>",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid eval(...) expressions

scriptPattern = Pattern.compile("eval\\((.*?)\\)",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid expression(...) expressions

scriptPattern = Pattern.compile("expression\\((.*?)\\)",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid javascript:... expressions

scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

value = scriptPattern.matcher(value).replaceAll("");

// Avoid οnlοad= expressions

scriptPattern = Pattern.compile("onload(.*?)=",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

scriptPattern = Pattern.compile("<iframe>(.*?)</iframe>", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

scriptPattern = Pattern.compile("</iframe>", Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// Remove any lonesome <script ...> tag

scriptPattern = Pattern.compile("<iframe(.*?)>",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

}

return value;

}

/**

* 获取最原始的request

*

* @return

*/

public HttpServletRequest getOrgRequest() {

return orgRequest;

}

/**

* 获取最原始的request的静态方法

*

* @return

*/

public static HttpServletRequest getOrgRequest(HttpServletRequest req) {

if (req instanceof XssHttpServletRequestWrapperNew) {

return ((XssHttpServletRequestWrapperNew) req).getOrgRequest();

}

return req;

}

}

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Spring Cloud 项目中,通常会使用 Spring Cloud Gateway 作为网关,可以通过自定义过滤器来实现 XSS 过滤。 以下是一个使用 Spring Cloud Gateway 实现 XSS 过滤的示例: 1. 引入依赖 在 pom.xml 文件中添加以下依赖: ```xml <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-gateway</artifactId> </dependency> <dependency> <groupId>com.googlecode.htmlcompressor</groupId> <artifactId>htmlcompressor</artifactId> <version>1.5.3</version> </dependency> ``` 其中,`htmlcompressor` 是一个开源的 HTML 压缩工具,可以用来过滤 XSS 攻击。 2. 实现过滤器 创建一个名为`XssFilter`的过滤器,实现`GatewayFilter`接口,重写`filter`方法,在该方法中对请求和响应进行过滤。 ```java public class XssFilter implements GatewayFilter { private final HtmlCompressor compressor; public XssFilter() { compressor = new HtmlCompressor(); compressor.setPreserveLineBreaks(false); compressor.setRemoveComments(true); compressor.setRemoveIntertagSpaces(true); } @Override public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) { ServerHttpRequest request = exchange.getRequest(); ServerHttpResponse response = exchange.getResponse(); HttpHeaders headers = response.getHeaders(); MediaType mediaType = headers.getContentType(); if (mediaType != null && mediaType.isCompatibleWith(MediaType.TEXT_HTML)) { return chain.filter(exchange.mutate() .request(wrapRequest(request)) .response(wrapResponse(response)) .build()); } return chain.filter(exchange); } private ServerHttpRequest wrapRequest(ServerHttpRequest request) { return new ServerHttpRequestDecorator(request) { @Override public Flux<DataBuffer> getBody() { return super.getBody().map(buffer -> { byte[] bytes = new byte[buffer.readableByteCount()]; buffer.read(bytes); DataBufferUtils.release(buffer); String body = new String(bytes, StandardCharsets.UTF_8); return bufferFactory().wrap(compressor.compress(body).getBytes(StandardCharsets.UTF_8)); }); } }; } private ServerHttpResponse wrapResponse(ServerHttpResponse response) { return new ServerHttpResponseDecorator(response) { @Override public Mono<Void> writeWith(Publisher<? extends DataBuffer> body) { if (body instanceof Flux) { Flux<? extends DataBuffer> fluxBody = (Flux<? extends DataBuffer>) body; return super.writeWith(fluxBody.map(buffer -> { byte[] bytes = new byte[buffer.readableByteCount()]; buffer.read(bytes); DataBufferUtils.release(buffer); String bodyStr = new String(bytes, StandardCharsets.UTF_8); return bufferFactory().wrap(compressor.compress(bodyStr).getBytes(StandardCharsets.UTF_8)); })); } return super.writeWith(body); } }; } } ``` 在上述代码中,通过`HtmlCompressor`压缩 HTML 代码,来过滤恶意脚本。`wrapRequest`方法和`wrapResponse`方法分别对请求和响应进行过滤。需要注意的是,在响应中的`writeWith`方法中,需要判断响应流是否为`Flux`类型,如果是,则需要对每个`DataBuffer`进行过滤。 3. 配置过滤器 在 Spring Cloud Gateway 中配置过滤器需要在配置类中实现`GatewayFilterFactory`接口,实现`apply`方法,返回一个自定义的过滤器实例。 ```java @Configuration public class GatewayConfig { @Bean public XssGatewayFilterFactory xssGatewayFilterFactory() { return new XssGatewayFilterFactory(); } public static class XssGatewayFilterFactory extends AbstractGatewayFilterFactory<Object> { @Override public GatewayFilter apply(Object config) { return new XssFilter(); } @Override public List<String> shortcutFieldOrder() { return Collections.emptyList(); } } } ``` 在上述代码中,定义了一个名为`XssGatewayFilterFactory`的过滤器工厂,返回一个`XssFilter`过滤器实例。在`shortcutFieldOrder`方法中返回一个空列表,表示不需要任何配置参数。 4. 配置路由 在配置路由时,将`XssGatewayFilterFactory`加入到过滤器链中。 ```yaml spring: cloud: gateway: routes: - id: example uri: http://example.com filters: - xss ``` 在上述配置中,将`XssGatewayFilterFactory`定义的过滤器加入到路由的过滤器链中,即可实现 XSS 过滤。 需要注意的是,在实际应用中,还需要根据具体情况进行适当调整和优化。例如,可以根据请求和响应头中的`Content-Type`判断是否需要进行过滤,以提高性能。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值