利用简单的过滤器 过滤特殊字符实现 防止XSS攻击
web.xml配置文件
- <filter>
- <filter-name>XSSFilter</filter-name>
- <filter-class>com.neusoft.common.filter.XSSFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>XSSFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- package com.neusoft.common.filter;
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- public class XSSFilter implements Filter {
- @Override
- public void destroy() {
- // TODO Auto-generated method stub
- }
- @Override
- public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
- throws IOException, ServletException {
- // TODO Auto-generated method stub
- arg2.doFilter(new XSSRequestWrapper((HttpServletRequest) arg0), arg1);
- }
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- // TODO Auto-generated method stub
- }
- }
- package com.neusoft.common.filter;
- import java.util.regex.Pattern;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletRequestWrapper;
- public class XSSRequestWrapper extends HttpServletRequestWrapper {
- public XSSRequestWrapper(HttpServletRequest request) {
- super(request);
- }
- @Override
- public String[] getParameterValues(String parameter) {
- String[] values = super.getParameterValues(parameter);
- if (values == null) {
- return null;
- }
- int count = values.length;
- String[] encodedValues = new String[count];
- for (int i = 0; i < count; i++) {
- encodedValues[i] = stripXSS(values[i]);
- }
- return encodedValues;
- }
- @Override
- public String getParameter(String parameter) {
- String value = super.getParameter(parameter);
- return stripXSS(value);
- }
- @Override
- public String getHeader(String name) {
- String value = super.getHeader(name);
- //return stripXSS(value);
- return value;
- }
- public String getQueryString() {
- String value = super.getQueryString();
- if (value != null) {
- value = stripXSS(value);
- }
- return value;
- }
- private String stripXSS(String value) {
- if (value != null) {
- // Avoid anything between script tags
- Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid anything in a
- // expression
- scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- // Remove any lonesome </script> tag
- scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
- value = scriptPattern.matcher(value).replaceAll("");
- // Remove any lonesome <script ...> tag
- scriptPattern = Pattern.compile("<script(.*?)>",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid eval(...) expressions
- scriptPattern = Pattern.compile("eval\\((.*?)\\)",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid expression(...) expressions
- scriptPattern = Pattern.compile("expression\\((.*?)\\)",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid javascript:... expressions
- scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid vbscript:... expressions
- scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
- value = scriptPattern.matcher(value).replaceAll("");
- // Avoid οnlοad= expressions
- scriptPattern = Pattern.compile("onload(.*?)=",
- Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
- value = scriptPattern.matcher(value).replaceAll("");
- }
- return value;
- }
- }