SpringMVC防止XSS攻击
来源:互联网 发布:c语言是开源的吗 编辑:程序博客网 时间:2024/05/17 19:59
XSS全称为跨站脚本攻击 , 具体见百度百科
最常见的是用Filter来预防 , 就是创建一个新的httpRequest类XsslHttpServletRequestWrapper,然后重写一些get方法(获取参数时对参数进行XSS判断预防).
1 . 在web.xml中添加Filter
<filter> <filter-name>XssFilter</filter-name> <filter-class>com.xbz.filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
2 . 编写XssFilter类
package com.xbz.filter;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class XssFilter implements Filter{FilterConfig fc = null;public void destroy() {fc = null;}public void doFilter(ServletRequest req, ServletResponse resp,FilterChain fc) throws IOException, ServletException {fc.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest)req), resp);}public void init(FilterConfig fc) throws ServletException {this.fc = fc;}}3 . 编写XssHttpServletRequestWrapper类
package com.xbz.filter;import java.util.HashMap;import java.util.Map;import java.util.regex.Pattern;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } public Map<String, String[]> getParameterMap() { Map<String, String[]> map = super.getParameterMap(); Map<String, String[]> encodedMap = new HashMap<String, String[]>(); encodedMap.putAll(map); for (Map.Entry<String, String[]> entry : encodedMap.entrySet()) { String[] value = entry.getValue(); String[] encodedValues = new String[value.length]; for (int i = 0; i < value.length; i++) { encodedValues[i] = cleanXSS(value[i]); } encodedMap.put(entry.getKey(), encodedValues); } return encodedMap; } public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) { return null; } return cleanXSS(value); } public String getHeader(String name) { String value = super.getHeader(name); if (value == null) return null; return cleanXSS(value); } private String cleanXSS(String value) { if (value != null) { // Avoid null characters value = value.replaceAll("", ""); // Avoid anything between script tags Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid anything in a // src="http://www.yihaomen.com/article/java/..." type of // expression scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome </script> tag scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid expression(...) expressions scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid vbscript:... expressions scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid onload= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); } return filter(value); } /** * 过滤特殊字符 */ public static String filter(String value) { if (value == null) { return null; } StringBuffer result = new StringBuffer(value.length()); for (int i = 0; i < value.length(); ++i) { switch (value.charAt(i)) { case '<': result.append("<"); break; case '>': result.append(">"); break; case '"': result.append("\""); break; case '\'': result.append("'"); break; case '%': result.append("%"); break; case ';': result.append(";"); break; case '(': result.append("("); break; case ')': result.append(")"); break; case '&': result.append("&"); break; case '+': result.append("+"); break; default: result.append(value.charAt(i)); break; } } return result.toString(); }}另外, SpringBoot的写法请参考另一篇文章SpringBoot防止XSS攻击
阅读全文
0 0
- springmvc 防止XSS攻击
- springmvc 防止XSS攻击
- SpringMVC防止XSS攻击
- springMVC利用过滤器防止xss攻击
- 防止SpringMVC的XSS攻击的方法
- 防止SpringMVC注解方式的XSS攻击的方法
- 防止 XSS 攻击 解决方案
- 防止XSS攻击Filter
- java 防止xss攻击
- 防止XSS攻击
- Java防止xss攻击
- 防止XSS攻击
- java 防止xss攻击
- 防止 XSS 攻击 解决方案
- java 防止xss攻击
- xss攻击怎么防止
- xss攻击怎么防止
- 网站防止XSS攻击
- mysql主从复制和mycat读写分离
- 习近平:实施国家大数据战略,加快建设数字中国(万字长文解读)
- 数据结构实验之查找一:二叉排序树
- vue双击事件-----两次快速的单击事件模拟双击事件
- Android如何实时监听网络状态.
- SpringMVC防止XSS攻击
- 重磅译制 | 视频更新:牛津大学xDeepMind自然语言处理课程第5讲(下)文本分类
- Mongodb字段更新$max操作符
- 手把手| 用Python代码建个数据实验室,顺利入坑比特币
- 在wandboard上加载Android6.0
- 机器学习之从极大似然估计到最大熵原理以及EM算法详解
- jmeter分布式操作之远程启动功能
- 根据网络图片地址获取资源的字节流
- GDI+学习及代码总结之------区域
