XSS防脚本注入的过滤器

来源：互联网发布：java离线地图开发编辑：程序博客网时间：2024/05/15 14:22

http://www.it165.net/safe/html/201306/655.html

XSS又叫CSS (CrossSite Script) ，跨站脚本攻击。它指的是恶意攻击者往Web页面里插入恶意html代码，当用户浏览该页之时，嵌入其中Web里面的html代码会被执行，从而达到恶意攻击用户的特殊目的。XSS属于被动式的攻击，因为其被动且不好利用，所以许多人常呼略其危害性.

我们这里只是一个简单的例子，不全，我们在springmvc中做一个小的demo,
1.web.xml配置过滤器

view sourceprint?
<!-- XSS过滤器  -->
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>
com.hanchao.filter.XssCheckFilter
</filter-class>
<init-param>
<param-name>errorPath</param-name>
<param-value>/views/error.<a href="http://www.it165.net/pro/webjsp/"target="_blank" class="keylink">jsp</a></param-value>
</init-param>
<init-param>
<param-name>excludePaths</param-name>
<param-value>/login</param-value>
</init-param> 
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

2.过滤器代码：

view sourceprint?
package com.kongzhong.passport.filter;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.kongzhong.base.util.KzStringUtil;
public class XSSCheckFilter implements Filter {
private FilterConfig config;
private static String errorPath;//出错跳转的目的地
private static String[] excludePaths;//不进行拦截的url
private static String[] safeless = {"<script",   //需要拦截的JS字符关键字
"</script",
"<iframe",
"</iframe",
"<frame",
"</frame",
"set-cookie",
"%3cscript",
"%3c/script",
"%3ciframe",
"%3c/iframe",
"%3cframe",
"%3c/frame",
"src=\"javascript:",
"<body",
"</body",
"%3cbody",
"%3c/body",
//"<",
//">",
//"</",
//"/>",
//"%3c",
//"%3e",
//"%3c/",
//"/%3e"
};
public void doFilter(ServletRequest req, ServletResponse resp,
FilterChain filterChain) throws IOException, ServletException {   
Enumeration params = req.getParameterNames();
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) resp;
//String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + "/";
 
boolean isSafe = true;
String requestUrl = request.getRequestURI();
//String queryUrl = request.getQueryString();
//System.out.println("params:" + params + " , requestUrl:" + requestUrl + " , queryUrl" + queryUrl);
if(isSafe(requestUrl)) {
requestUrl = requestUrl.substring(requestUrl.indexOf("/"));
if(!excludeUrl(requestUrl)) {
while (params.hasMoreElements()) {
String cache = req.getParameter((String) params.nextElement());
if(KzStringUtil.isNotBlank(cache)) {
if(!isSafe(cache)) {
isSafe = false;
break;
}
}
}
}
} else {
isSafe = false;
}
 
if(!isSafe) {
request.setAttribute("err", "您输入的参数有非法字符，请输入正确的参数！");
request.getRequestDispatcher(errorPath).forward(request, response);
return;
}
filterChain.doFilter(req, resp);
}
private static boolean isSafe(String str) {
if(KzStringUtil.isNotBlank(str)) {    
for (String s : safeless) {
if(str.toLowerCase().contains(s)) {
return false;
}
}
}
return true;
}
 
private boolean excludeUrl(String url) {      
if(excludePaths != null && excludePaths.length > 0) {                  
for (String path : excludePaths) {
if(url.toLowerCase().equals(path)) {
return true;
}
}
}
return false;
}
 
public void destroy() {
}
public void init(FilterConfig config) throws ServletException {
this.config = config;
errorPath = config.getInitParameter("errorPath");
String excludePath = config.getInitParameter("excludePaths");
if(KzStringUtil.isNotBlank(excludePath)) {
excludePaths = excludePath.split(",");
}
}
}

0 0