xss漏洞,添加xssFilter后,乱码,解决方法
来源:互联网 发布:linux vim指令 编辑:程序博客网 时间:2024/06/03 19:14
*
* 更改所生成文件模板为
* 窗口 > 首选项 > Java > 代码生成 > 代码和注释
*/
package com.bmcc.adc.filter;
import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class XssFilter implements Filter {
private HashMap urls = new HashMap();
public void destroy() {
// TODO 自动生成方法存根
}
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
//设置编码格式 add by zhangna
arg0.setCharacterEncoding("GBK"); //该代码进行了编码设置,防止传输中文乱码
// TODO 自动生成方法存根
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
String requrl = request.getRequestURI();
System.err.println(requrl);
if(requrl!=null&&requrl.indexOf("add_xss_update_filter_urls")!=-1){
urls.put(request.getParameter("url"), null);
System.err.println("xss add =[["+request.getParameter("url")+"]]");
}
if(requrl!=null&&requrl.indexOf("remove_xss_update_filter_urls")!=-1){
urls.remove(request.getParameter("url"));
System.err.println("xss remove =[["+request.getParameter("url")+"]]");
}
if(requrl!=null&&requrl.indexOf("list_xss_update_filter_urls")!=-1){
for (Iterator iter = urls.keySet().iterator(); iter.hasNext();) {
String element = (String) iter.next();
System.err.println("xss item =[["+element+"]]");
}
}
if (urls.containsKey(requrl)) {
if (!canDo(request, response)) {
response.sendRedirect("/index/");
return;
}
System.err.println("passed");
}
arg2.doFilter(arg0, arg1);
}
public void init(FilterConfig arg0) throws ServletException {
// TODO 自动生成方法存根
Enumeration configs = arg0.getInitParameterNames();
while (configs.hasMoreElements()) {
String element = (String) configs.nextElement();
urls.put(arg0.getInitParameter(element), null);
}
}
private boolean canDo(HttpServletRequest req, HttpServletResponse resp) {
Enumeration params = req.getParameterNames();
if(params!=null){
while (params.hasMoreElements()) {
String element = (String) params.nextElement();
String param = req.getParameter(element);
System.err.println("xss----------paramname=["+element+"]-----paramvalue=["+param+"]");
Pattern p = Pattern.compile("SCRIPT|<SCRIPT>|</SCRIPT>|DOCUMENT|ALERT");
Matcher m = p.matcher(param.toUpperCase());
if(m.find()){
return false;
}
m = p.matcher(element.toUpperCase());
if(m.find()){
return false;
}
}
return true;
}
return true;
}
}
配置文件:
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.bmcc.adc.filter.XssFilter</filter-class>
<init-param>
<param-name>url0</param-name>
<param-value>/WEB-INF/pages/pub/common/passivelogon_ec.jsp</param-value>
</init-param>
<init-param>
<param-name>url1</param-name>
<param-value>/edsmp/listAccountSvc.do</param-value>
</init-param>
<init-param>
<param-name>url2</param-name>
<param-value>/edsmp/serviceonlineNoLoginSub.do</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>*.do</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
- xss漏洞,添加xssFilter后,乱码,解决方法
- XssFilter防止脚本注入,防止xss攻击
- XSS漏洞
- XSS漏洞
- 如何测试XSS漏洞
- xss漏洞简要分析
- XSS漏洞验证语句
- Xss漏洞检测
- 找寻xss漏洞
- Xss漏洞到底是什么
- 关于XSS漏洞-简介
- pentesterlab xss漏洞分析
- XSS漏洞的分类
- XSS漏洞的分类
- 预防XSS漏洞攻击
- XSS漏洞演示
- 如何测试XSS漏洞
- XSS漏洞修复
- selenium webdriver 打开带插件的Firefox
- 使用Thinkphp框架开发移动端接口(2)
- :before 和 :after的多用途实践 — 提升篇
- 关于百分比的一些归纳
- (40)摄像机Actor
- xss漏洞,添加xssFilter后,乱码,解决方法
- FZU2219 StarCraft--贪心+优先队列
- Audio知识总结(Android)
- Shell实用技巧
- vxWorks内核解读五--内存管理
- HttpClient 4.3详细教程
- AFL(American Fuzzy Lop)使用(一)
- linux grep
- sparkSQL元数据缓存踩的坑