CHECKMARX安全漏洞检测防止XSS跨站脚本攻击
总结CHECKMARX软件安全检测报告高危风险漏洞处理方式
-
高危警告内容
This can enable a Reflected Cross-Site Scripting (XSS) attack -
封装工具类如下
public class ESAPIUtil {
private static ESAPIUtil instance = new ESAPIUtil();
public <T> T encodeForHTML(T t) {
// filter xss
return t;
}
public <T> T canonicalize(T t) {
// filter xss
return t;
}
public <T> T encodeForJavaScript(T t) {
return t;
}
public static ESAPIUtil encoder() {
return instance;
}
public static String cleanXSS(String value) {
if (value != null) {
value = ESAPIUtil.encoder().canonicalize(value);
// 避免空字符串
value = value.replaceAll("", "");
// 避免script 标签
Pattern scriptPattern = compile("<script>(.*?)</script>", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
//避免src形式的表达式
//scriptPattern = compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", CASE_INSENSITIVE | MULTILINE | DOTALL);
//value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 删除单个的 </script> 标签
scriptPattern = compile("</script>", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 删除单个的<script ...> 标签
scriptPattern = compile("<script(.*?)>", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 eval(...) 形式表达式
scriptPattern = compile("eval\\((.*?)\\)", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 expression(...) 表达式
scriptPattern = compile("expression\\((.*?)\\)", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 javascript: 表达式
scriptPattern = compile("javascript:", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 vbscript: 表达式
scriptPattern = compile("vbscript:", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 onl oad= 表达式
scriptPattern = compile("onload(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 onXX= 表达式
scriptPattern = compile("on.*(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 html 标签 表达式
scriptPattern = compile("<(\\\"[^\\\"]*\\\"|'[^']*'|[^'\\\">])*>", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}