java修复xss漏洞

最新推荐文章于 2024-09-11 15:18:15 发布
最新推荐文章于 2024-09-11 15:18:15 发布
阅读量3.3k 收藏 9
点赞数 5
分类专栏: # java 开发
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_43876557/article/details/107658763
版权
开发 同时被 2 个专栏收录
15 篇文章 0 订阅
订阅专栏
java
10 篇文章 0 订阅
订阅专栏

JAVA修复XSS漏洞

方案一:

对于请求中是封装好的对象或者以属性名作为参数的都适用以下解决方案:
封装好的对象,如:
在这里插入图片描述
使用属性名作为参数,如:
在这里插入图片描述
以/updateRole和/addRole作为例子,这两个方法中都需要对前台输入的参数进行过滤。

1.添加过滤器

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.Logger;


public class XSSAttackInterceptor implements Filter {

    private static final long serialVersionUID = 7427725804042693717L;

    private Logger logger = Logger.getLogger(XSSAttackInterceptor.class);

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
        filterChain.doFilter(xssRequest, response);
    }

    @Override
    public void destroy() {

    }
}

import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;


public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }

    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = cleanXSS(values[i]);
        }
        return encodedValues;
    }

    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        if (value == null) {
            return null;
        }
        return cleanXSS(value);
    }

    public String getQueryString() {
        String value = super.getQueryString();
        if (value == null) {
            return null;
        }
        return cleanXSS(value);
    }

    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (value == null)
            return null;
        return cleanXSS(value);
    }

    private String cleanXSS(String value) {
        if (value != null) {
            //删除script标签
            Pattern compile = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = compile.matcher(value).replaceAll("");
            compile = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = compile.matcher(value).replaceAll("");
            compile = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = compile.matcher(value).replaceAll("");
            // 删除单个的 </script> 标签
            compile = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = compile.matcher(value).replaceAll("");
            // 删除单个的<script ...> 标签
            compile = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = compile.matcher(value).replaceAll("");
            // 避免 eval(...) 形式表达式
            compile = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = compile.matcher(value).replaceAll("");
            // 避免 e­xpression(...) 表达式
            compile = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = compile.matcher(value).replaceAll("");
            // 避免 javascript: 表达式
            compile = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = compile.matcher(value).replaceAll("");
            // 避免 vbscript:表达式
            compile = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = compile.matcher(value).replaceAll("");
            value = cleanEventAttact(value);
            //替换特殊标签
            value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
        }
        return value;
    }

    /**
     * 屏蔽页面注入的所有html事件攻击
     *
     * @param value
     * @return
     */
    public String cleanEventAttact(String value) {
        //避免οnclick= 表达式
        Pattern compile = Pattern.compile("onafterprint(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onbeforeprint(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onbeforeunload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onerror(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onhaschange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onmessage(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onoffline(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ononline(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onpagehide(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onpageshow(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onpopstate(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onredo(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onresize(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onstorage(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onundo(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onunload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onblur(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onchange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("oncontextmenu(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onfocus(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onformchange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onforminput(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("oninput(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("oninvalid(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onreset(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onselect(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onsubmit(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onkeydown(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onkeypress(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onkeyup(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onclick(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ondblclick(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ondrag(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ondragend(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ondragenter(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ondragleave(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ondragover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ondragstart(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("ondrop(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onmousedown(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onmousemove(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onmouseout(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onmouseover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onmouseenter(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onmouseup(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onmousewheel(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        compile = Pattern.compile("onscroll(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
        value = compile.matcher(value).replaceAll("");
        value = value.replace("document", "");//页面屏蔽document字样
        value = value.replace("alert", "");//页面屏蔽alert字样
        return value;
    }
}

2.添加配置

修改web.xml,添加过滤器配置:

<filter>
  <filter-name>XSSAttackInterceptor</filter-name>
  <filter-class>com.xxjf.filter.XSSAttackInterceptor</filter-class>
</filter>
<filter-mapping>
  <filter-name>XSSAttackInterceptor</filter-name>
  <url-pattern>/addRole</url-pattern>
</filter-mapping>
<filter-mapping>
  <filter-name>XSSAttackInterceptor</filter-name>
  <url-pattern>/updateRole</url-pattern>
</filter-mapping>

方案二:

对于其他并不能直接获取到参数类型的情况,如下:
在这里插入图片描述
对于该情况,只能从请求中获取参数一个一个的去判断过滤,此时只能使用工具类。

1.工具类

import java.util.regex.Pattern;

public class XSSFilterUtils {

	 public static String cleanXSS(String value) {
	        if (value != null) {
	            //删除script标签
	            Pattern compile = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
	            value = compile.matcher(value).replaceAll("");
	            compile = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = compile.matcher(value).replaceAll("");
	            compile = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = compile.matcher(value).replaceAll("");
	            // 删除单个的 </script> 标签
	            compile = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
	            value = compile.matcher(value).replaceAll("");
	            // 删除单个的<script ...> 标签
	            compile = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = compile.matcher(value).replaceAll("");
	            // 避免 eval(...) 形式表达式
	            compile = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = compile.matcher(value).replaceAll("");
	            // 避免 e­xpression(...) 表达式
	            compile = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	            value = compile.matcher(value).replaceAll("");
	            // 避免 javascript: 表达式
	            compile = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
	            value = compile.matcher(value).replaceAll("");
	            // 避免 vbscript:表达式
	            compile = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
	            value = compile.matcher(value).replaceAll("");
	            value = cleanEventAttact(value);
	            //替换特殊标签
	            value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
	        }
	        return value;
	    }
	 /**
	     * 屏蔽页面注入的所有html事件攻击
	     *
	     * @param value
	     * @return
	     */
	    public static String cleanEventAttact(String value) {
	        //避免οnclick= 表达式
	        Pattern compile = Pattern.compile("onafterprint(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onbeforeprint(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onbeforeunload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onerror(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onhaschange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onmessage(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onoffline(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ononline(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onpagehide(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onpageshow(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onpopstate(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onredo(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onresize(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onstorage(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onundo(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onunload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onblur(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onchange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("oncontextmenu(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onfocus(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onformchange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onforminput(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("oninput(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("oninvalid(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onreset(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onselect(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onsubmit(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onkeydown(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onkeypress(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onkeyup(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onclick(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ondblclick(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ondrag(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ondragend(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ondragenter(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ondragleave(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ondragover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ondragstart(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("ondrop(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onmousedown(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onmousemove(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onmouseout(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onmouseover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onmouseenter(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onmouseup(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onmousewheel(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        compile = Pattern.compile("onscroll(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
	        value = compile.matcher(value).replaceAll("");
	        value = value.replace("document", "");//页面屏蔽document字样
	        value = value.replace("alert", "");//页面屏蔽alert字样
	        return value;
	    }
}

2.使用工具类

对于需要过滤的参数进行判断然后使用工具类。

 MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request; 
		 MultipartFile newsImage =  multipartRequest.getFile("newsImage");
		Map<String,Object> map = new HashMap<String,Object>();
		String newsTitle = request.getParameter("newsTitle");
		String newsTheme = request.getParameter("newsTheme");
		
		News news = new News();
		if(newsTitle != null && !"".equals(newsTitle)) {
			news.setNewsTitle(XSSFilterUtils.cleanXSS(newsTitle));
		}
		if(newsTheme != null && !"".equals(newsTheme)) {
			news.setNewsTheme(XSSFilterUtils.cleanXSS(newsTheme));
		}
小依真
关注
专栏目录
Java代码审计】XSS
大河之犬的博客
12-16 2万+
XSS 漏洞是指攻击者在网页中嵌入客户端脚本(通常是 JavaScript 编写的恶意代码),进而执行其植入代码的漏洞。若 Web 应用未对用户可直接或间接控制的“输入”与“输出”参数进行关键字过滤或转义处理,则很可能存在跨站脚本漏洞。从 Web 应用上来看,攻击者可以控制的参数包括 URL 参数、post 提交的表单数据以及搜索框提交的搜索关键字,一般对该漏洞的审计策略如下收集输入、输出点查看输入、输出点的上下文环境。判断 Web 应用是否对输入、输出做了防御工作(如过滤、扰乱以及编码)
xss漏洞安全编码系列详解
06-22
结合在csdn上web渗透测试课程(https://edu.csdn.net/course/detail/8064该课程主要讲解攻击过程),讲解xss的攻击原理及漏洞编码,现场带领大家编写补丁代码,真正在代码层面上杜绝该类漏洞的存在。
XSS 攻击的检测和修复方法
Java徐师兄的博客
07-13 3201
XSS 攻击是一种常见和危险的 Web 攻击,开发者需要对输入数据进行过滤和转义,使用安全的编程语言和框架以及安全的数据库操作,采用 CSP 等措施来防止 XSS 攻击。同时,用户也需要注意不要轻易点击不明来源的链接,避免被诱导访问恶意网站,从而保护自己的信息安全。// 去除输入数据中的 HTML 和 PHP 标签 $data = strip_tags($data);
JAVA代码审计之XSS漏洞
最新发布
2401_86951038的博客
09-11 697
所以将就看看demo吧漏洞原理:关于XSS漏洞漏洞原理核心其实没啥好说的,网上一查一大堆。
XSS漏洞修复方案
热门推荐
若明天不见
07-19 3万+
XSS漏洞介绍、XSS危害及相关修复方案 XSS的原理是WEB应用程序混淆了用户提交的数据和脚本的代码边界,导致浏览器把用户的输入当成了脚本代码来执行。XSS的攻击对象是浏览器一端的普通用户。
xss漏洞原因以及如何应对
风烟
01-26 9390
场景一:获取URL参数含有脚本执行 比如我们需要获取URL中某个参数,然后输出到页面当中 比如链接是http://xxx?search="><script>alert('xss')</script>这种,我们解析search参数拼接html的之后直接用了这个参数,这个时候浏览器不知道是恶意代码,直接就执行了, <div> xxx: "><script>alert('xss')</script> </div> 这
Java代码审计】XSS漏洞产生原理及其修复
m0_62783065的博客
05-17 5660
Java代码审计】XSS漏洞产生原理及其修复
JAVA Web应用常见漏洞修复建议
qq_39560975的博客
07-27 7849
跨站脚本、输入验证、代码注入等常见漏洞解析和修改方案
javaXSS 漏洞原理与实际案例介绍
12-09
Java 中的 XSS 漏洞,包括其原理、简单的 Java 代码示例、修复方案以及 CVE 实例,希望对初入Java代码审计的朋友有所帮助官网更新到了v1.4的版本,但是取消了开源。因此没法看官网怎么修复的,这里给出自己的修复...
javaweb配置xssproject,完美解决安全检测报XSS漏洞
01-14
XSSProject是一个专门针对XSS攻击防护的Java库,通过提供一系列的过滤规则和处理机制,帮助开发者构建更安全的Web应用。 首先,我们来了解一下XSSProject的核心功能。XSSProject主要包含以下几个方面: 1. **XSS...
java 预防XSS攻击
08-23
- 定期进行安全审计和渗透测试,发现并修复潜在的XSS漏洞。 - 部署日志监控系统,及时发现异常请求和行为。 通过以上这些策略,可以显著降低Java应用程序遭受XSS攻击的风险。然而,安全防护是一个持续的过程,...
JSP安全开发之XSS漏洞详解
10-21
7. **代码审查**:定期进行代码审查,检查可能的XSS漏洞,并确保所有用户输入都经过了适当的安全处理。 8. **安全编码最佳实践**:遵循安全编码原则,例如,避免在HTML中动态生成JavaScript,而是将其放在外部文件...
XSS漏洞解决方案实例
08-30
跨网站脚本(Cross-site scripting,通常简称为XSS或跨站脚本或跨站脚本攻击)是一种网站应用程序的安全漏洞攻击,是代码注入的一种。它允许恶意用户将代码注入到网页上,其他用户在观看网页时就会受到影响。这类...
XSS 安全漏洞介绍及修复方案
墨鸦的博客
06-25 8108
XSS 安全漏洞介绍及修复方案
java实战:Java处理XSS漏洞的四种方法及代码示例
oandy0的博客
02-16 1万+
本文将介绍几种在Java中处理XSS(跨站脚本)漏洞的常用方法,并提供详细的代码示例。我们将探讨使用HTML实体编码、使用内容安全策略(CSP)、使用框架内置的XSS防护和自定义过滤器等方法。通过本文,可以了解到如何在Java应用程序中实施有效的安全措施,以防范XSS攻击。
Java SSM框架+jsp处理存储XSS反射XSS漏洞
weixin_45767372的博客
07-07 4724
存储XSS反射XSS修复
代码审计——XSS详解
Boom!脑洞大爆炸的博客
06-17 2271
代码审计之XSS详解
xssjava 修复XSS跨站脚本漏洞XssFilter实现防止XSS攻击
qq_35320491的博客
07-11 1206
<filter> <filter-name>xssFilter</filter-name> <filter-class>com.wj.apps.base.filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-patte
【网络安全】详解XSS漏洞反射XSS漏洞
yyyyyybw的博客
09-25 1329
反射XSS漏洞是Web应用程序中常见的安全漏洞,攻击者可利用该漏洞注入恶意代码,窃取用户敏感信息、篡改页面内容、操纵页面行为等。为确保Web应用程序的安全性,应该采取必要措施对输入数据进行严格验证、转义和过滤处理。如果你也想学网络安全,做一个白帽黑客,我为你整理了一套完整的详细的教程资料,戳网络安全(黑客)自学笔记+学习路线+配套视频教程(超详细)t=N7T8。
JAVA Web应用安全:存储XSS漏洞修复策略
"JAVA Web应用常见漏洞修复建议" 在JAVA Web应用开发中,安全问题至关重要,因为不安全的代码可能会导致数据泄露、系统瘫痪甚至法律风险。本资源主要探讨了几个常见的安全漏洞,包括跨站脚本(XSS)攻击,特别是...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值