java web 利用filter 防止 Xss 攻击(1)
来源:互联网 发布:js只能输入0到100 编辑:程序博客网 时间:2024/06/16 05:54
<!--@分隔 --> <filter> <filter-name>xssFilter</filter-name> <filter-class>com.yoro.core.web.XssFilter</filter-class> <init-param> <param-name>SplitChar</param-name> <param-value>@</param-value> </init-param> <init-param> <param-name>FilterChar</param-name> <param-value>>@<@\'@\"@\\@#@(@)</param-value>//但大于号在xml不行,需要注意 </init-param> <init-param> <param-name>ReplaceChar</param-name> <param-value>>'@<@‘@“@\@#@(@)</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
package com.yoro.core.web;/** * @author zoro */import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class XssFilter implements Filter { private String filterChar; private String replaceChar; private String splitChar; FilterConfig filterConfig = null; public void init(FilterConfig filterConfig) throws ServletException { this.filterChar=filterConfig.getInitParameter("FilterChar"); this.replaceChar=filterConfig.getInitParameter("ReplaceChar"); this.splitChar=filterConfig.getInitParameter("SplitChar"); this.filterConfig = filterConfig; } public void destroy() { this.filterConfig = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request,filterChar,replaceChar,splitChar), response); }}
package com.yoro.core.web;import java.io.UnsupportedEncodingException;import java.net.URLDecoder;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;/** * @author zoro */public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private String[]filterChars; private String[]replaceChars; public XssHttpServletRequestWrapper(HttpServletRequest request,String filterChar,String replaceChar,String splitChar) { super(request); if(filterChar!=null&&filterChar.length()>0){ filterChars=filterChar.split(splitChar); } if(replaceChar!=null&&replaceChar.length()>0){ replaceChars=replaceChar.split(splitChar); } } public String getQueryString() { String value = super.getQueryString(); if (value != null) { value = xssEncode(value); } return value; } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } public String[] getParameterValues(String name) { String[]parameters=super.getParameterValues(name); if (parameters==null||parameters.length == 0) { return null; } for (int i = 0; i < parameters.length; i++) { parameters[i] = xssEncode(parameters[i]); } return parameters; } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> getHeaderNames 也可能需要覆盖 */ public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引起xss漏洞的半角字符直接替换成全角字符 * * @param s * @return */ private String xssEncode(String s) { if (s == null || s.equals("")) { return s; } try { s = URLDecoder.decode(s, "UTF-8"); } catch (UnsupportedEncodingException e) { e.printStackTrace(); } for (int i = 0; i < filterChars.length; i++) { if(s.contains(filterChars[i])){ s=s.replace(filterChars[i], replaceChars[i]); } } return s; }}
0 0
- java web 利用filter 防止 Xss 攻击(1)
- 防止XSS攻击Filter
- java 防止xss攻击
- Java防止xss攻击
- java 防止xss攻击
- java 防止xss攻击
- java 防止xss攻击 通过filter的方法
- java 防止xss攻击 通过filter的方法(推荐)
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- java防止xss注入攻击
- springMVC利用过滤器防止xss攻击
- Filter:防止SQL注入和XSS攻击Filter
- Java防止跨站脚本(XSS)注入攻击
- Java防止跨站脚本(XSS)注入攻击
- CKfinder上传图片缩略图问题
- android不在坑五:Android Glide You cannot start a load for a destroyed activity
- 1007. 素数对猜想
- 4412驱动-fifth_fasyn 控制led 蜂鸣器 按键
- bzoj 3943 最大生成树
- java web 利用filter 防止 Xss 攻击(1)
- Vagrant+virtualbox+centos 搭建linux虚拟机
- UNIX再学习 -- 发送信号
- jquery实现select选中
- Android之Android studio基本调试和快捷键
- Java JVM
- jdbc操作的五大步骤
- 全面解读Moby和LinuxKit,Docker称沟通不善招致误解
- android Studio app clean failed 看过来