CHECKMARX安全漏洞检测防止XSS（Cross Site Scripting）跨站脚本攻击

CHECKMARX安全漏洞检测防止XSS跨站脚本攻击

总结CHECKMARX软件安全检测报告高危风险漏洞处理方式

• 高危警告内容
  This can enable a Reflected Cross-Site Scripting (XSS) attack

• 封装工具类如下

 		public class ESAPIUtil {

    private static ESAPIUtil instance = new ESAPIUtil();

    public <T> T encodeForHTML(T t) {
        // filter xss
        return t;
    }

    public <T> T canonicalize(T t) {
        // filter xss
        return t;
    }

    public <T> T encodeForJavaScript(T t) {
        return t;
    }


    public static ESAPIUtil encoder() {
        return instance;
    }


    public static String cleanXSS(String value) {
        if (value != null) {
            value = ESAPIUtil.encoder().canonicalize(value);
            // 避免空字符串
            value = value.replaceAll("", "");
            // 避免script 标签
            Pattern scriptPattern = compile("<script>(.*?)</script>", CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            //避免src形式的表达式
            //scriptPattern = compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", CASE_INSENSITIVE | MULTILINE | DOTALL);
            //value = scriptPattern.matcher(value).replaceAll("");

            scriptPattern = compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", CASE_INSENSITIVE | MULTILINE | DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 删除单个的 </script> 标签
            scriptPattern = compile("</script>", CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // 删除单个的<script ...> 标签
            scriptPattern = compile("<script(.*?)>", CASE_INSENSITIVE | MULTILINE | DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 避免 eval(...) 形式表达式
            scriptPattern = compile("eval\\((.*?)\\)", CASE_INSENSITIVE | MULTILINE | DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 避免 e­xpression(...) 表达式
            scriptPattern = compile("expression\\((.*?)\\)", CASE_INSENSITIVE | MULTILINE | DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 避免 javascript: 表达式
            scriptPattern = compile("javascript:", CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // 避免 vbscript: 表达式
            scriptPattern = compile("vbscript:", CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // 避免 onl oad= 表达式
            scriptPattern = compile("onload(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 避免 onXX= 表达式
            scriptPattern = compile("on.*(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 html 标签 表达式
            scriptPattern = compile("<(\\\"[^\\\"]*\\\"|'[^']*'|[^'\\\">])*>", CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }