XSS攻击简单来讲就是攻击者在请求中巧妙地加上执行脚本,达到攻击的目的。实践过滤器方案和JSP的EL表达式+JSTL标签库方案都还可以达到防XSS攻击的目的。
一.过滤器方案
XSSFilter.java
package com.bijian.study.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
/**
* Servlet Filter implementation class XSSFilter
*/
@WebFilter("/XSSFilter")
public class XSSFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
}
}
XSSRequestWrapper.java
package com.bijian.study.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang.StringEscapeUtils;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]);
}
return encodedValues;
}
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return stripXSS(value);
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value);
}
private String stripXSS(String value) {
value = StringEscapeUtils.escapeHtml(value);
value = StringEscapeUtils.escapeJavaScript(value);
value = StringEscapeUtils.escapeSql(value);
return value;
}
}
web.xml中的配置
<filter> <filter-name>XSSFilter</filter-name> <filter-class>com.bijian.study.filter.XSSFilter</filter-class> </filter> <filter-mapping> <filter-name>XSSFilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>XSSFilter</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>
二.JSP的EL表达式+JSTL标签库方案
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + path + "/";
String nameStr = request.getParameter("name");//用request得到
request.setAttribute("nameAttr", nameStr);
%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Hello</title>
</head>
<body>
Hi,<c:out value="${nameAttr}"/>
<!--
Hi,<%=nameStr%>
Hi,${param.name}
-->
</body>
</html>
XSS更详细的背景及方案,请参看:http://www.cnblogs.com/flyingeagle/articles/6746732.html