java防止XSS注入的实用工具

XSS注入是数据写入数据库之前的必做操作,否则任由用户输入,则可导致数据库数据的注入,轻者影响数据展示,重者早造成数据库崩溃

下面是项目中经常用到的处理XSS的实用方法

/**  * @author  李光光(编码小王子) * @date    2016年5月23日 下午5:24:39  * @version 1.0    */public class StringUtil {/** * 主要筛选过滤 script javascript alert * */public static String preventXss(String sourceStr){if(StringUtils.isBlank(sourceStr)){return sourceStr;}sourceStr = sourceStr.replaceAll("(?i)javascript", "javascri pt");sourceStr = sourceStr.replaceAll("(?i)<script", "< scri pt");sourceStr = sourceStr.replaceAll("(?i)</script", "< /scri pt");sourceStr = sourceStr.replaceAll("(?i)alert", "aler t");//HTML标签中需要过滤的字符sourceStr = sourceStr.replaceAll("<", "<");sourceStr = sourceStr.replaceAll(">", ">");sourceStr = sourceStr.replaceAll("(?i)img", "im g");sourceStr = sourceStr.replaceAll("(?i)applet", "appl et");sourceStr = sourceStr.replaceAll("(?i)blink", "bli nk");sourceStr = sourceStr.replaceAll("(?i)frameset", "fra mes et");sourceStr = sourceStr.replaceAll("(?i)iframe", "ifra me");sourceStr = sourceStr.replaceAll("(?i)object", "obje ct");sourceStr = sourceStr.replaceAll("(?i)base", "ba se");sourceStr = sourceStr.replaceAll("(?i)body", "bo dy");sourceStr = sourceStr.replaceAll("(?i)head", "hea d");sourceStr = sourceStr.replaceAll("(?i)layer", "lay er");sourceStr = sourceStr.replaceAll("(?i)style", "styl e");sourceStr = sourceStr.replaceAll("(?i)basefont", "basefo nt");sourceStr = sourceStr.replaceAll("(?i)embed", "emb ed");sourceStr = sourceStr.replaceAll("(?i)html", "htm l");sourceStr = sourceStr.replaceAll("(?i)link", "lin k");sourceStr = sourceStr.replaceAll("(?i)title", "tit le");sourceStr = sourceStr.replaceAll("(?i)bgsound", "bgsou nd");sourceStr = sourceStr.replaceAll("(?i)frame", "fra me");sourceStr = sourceStr.replaceAll("(?i)ilayer", "ilay er");sourceStr = sourceStr.replaceAll("(?i)meta", "me ta");//HTML标签属性中需要过滤的字符sourceStr = sourceStr.replaceAll("(?i)dynsrc", "dyns rc");sourceStr = sourceStr.replaceAll("(?i)src", "sr c");sourceStr = sourceStr.replaceAll("(?i)action", "acti on");sourceStr = sourceStr.replaceAll("(?i)href", "hre f");sourceStr = sourceStr.replaceAll("(?i)background", "backgrou nd");sourceStr = sourceStr.replaceAll("(?i)lowsrc", "lowsr c");sourceStr = sourceStr.replaceAll("(?i)value", "valu e");sourceStr = sourceStr.replaceAll("(?i)onmouse", "onmou se");//其他协议中可能用到的关键字需要过滤的字符sourceStr = sourceStr.replaceAll("(?i)vbscript:", "vbscri pt:");sourceStr = sourceStr.replaceAll("(?i)ms-its:", "ms-i ts:");sourceStr = sourceStr.replaceAll("(?i)firefoxurl:", "firefoxu rl:");sourceStr = sourceStr.replaceAll("(?i)javascript:", "javascri pt:");sourceStr = sourceStr.replaceAll("(?i)mhtml:", "mht ml:");sourceStr = sourceStr.replaceAll("(?i)mocha:", "moch a:");sourceStr = sourceStr.replaceAll("(?i)data:", "dat a:");sourceStr = sourceStr.replaceAll("(?i)livescript:", "livescri pt:");return sourceStr;}}

可以使用下面的方式来调用

String clearData = StringUtil.preventXss(dirtyData);