HttpServletRequestWrapper 实现xss注入(2)
来源:互联网 发布:网络发展的现状 编辑:程序博客网 时间:2024/05/18 00:11
自定义一个wapper 实现 HttpServletRequestWrapper
package cn.baozun.crm.task.filter;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;/** * * <p>xss过滤</p> * @author dexter.qin * @version $Id: XssHttpServletRequestWrapper.java, v 0.1 2014-2-27 下午2:28:30 qinde Exp $ */public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); orgRequest = request; } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> * getHeaderNames 也可能需要覆盖 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引起xss漏洞的半角字符直接替换成全角字符 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || "".equals(s)) { return s; } StringBuilder sb = new StringBuilder(s.length() + 16); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); switch (c) { case '>': sb.append('>');//全角大于号 break; case '<': sb.append('<');//全角小于号 break; case '\'': sb.append('‘');//全角单引号 break; case '\"': sb.append('“');//全角双引号 break; case '&': sb.append('&');//全角 break; case '\\': sb.append('\');//全角斜线 break; case '#': sb.append('#');//全角井号 break; default: sb.append(c); break; } } return sb.toString(); } /** * 获取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request的静态方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) req).getOrgRequest(); } return req; } public static void main(String[] args) { System.out.println(XssHttpServletRequestWrapper.xssEncode("<script>alert(1)</script>")); }}
自定义过滤器
package cn.baozun.crm.task.filter;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;/** * * <p>拦截防止sql注入、xss注入 </p> * @author dexter.qin * @version $Id: XssFilter.java, v 0.1 2014-2-27 下午2:29:14 qinde Exp $ */public class XssFilter implements Filter { /* (non-Javadoc) * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( (HttpServletRequest) request); filterChain.doFilter(xssRequest, response); } @Override public void destroy() { } @Override public void init(FilterConfig arg0) throws ServletException { }}
出处:http://blog.csdn.net/mid120/article/details/53897550
0 0
- HttpServletRequestWrapper 实现xss注入(2)
- HttpServletRequestWrapper 实现xss注入
- 使用HttpServletRequestWrapper 实现防止xss攻击和sql注入
- springMVC通过Filter实现防止xss注入
- springMVC通过Filter实现防止xss注入
- XSS 注入
- XSS注入
- HttpServletRequestWrapper
- HttpServletRequestWrapper模拟实现分布式Session
- HttpServletRequestWrapper模拟实现分布式Session
- HttpServletRequestWrapper模拟实现分布式Session
- SpringMVC XSS之HttpServletRequestWrapper使用风险与应对方案
- HttpServletRequestWrapper和jsp:param之间的问题及XSS防御
- SQL注入-XSS跨站
- PHP防止XSS注入
- xss注入1.0
- sql注入 XSS
- php168注入+XSS
- Oculus开发相关问题总结(一)Oculus登陆问题 Internal Error:OVR53225466
- javaweb:判断当前请求是否为移动设备访问
- Java多线程系列--“基础篇”01之 基本概念
- androidStudio快速打开工程
- word 2013中如何设置第几页共几页这种页码格式
- HttpServletRequestWrapper 实现xss注入(2)
- 剑指offer 37. 两个链表的第一个公共结点
- MFC笔记总结
- linux下多进程、多线程编程
- echarts3 地图应用 给背景地图上色(2)附:世界各大城市经纬度
- Android报错:has leaked window com.android.internal.policy.impl.PhoneWindow$Decor
- Android中联系人和通话记录详解(联系人的增删改查)(3)
- 微信小程序苹果真机取不到数据问题
- mysql索引需要了解的几个注意