java XSS防护esapi

跨站脚本攻击的防御主要考虑过滤用户输入，和后台输出。

1. 过滤用户输入：

对所有后台请求使用filter过滤，在filter中将request中有隐患的关键字过滤掉，由于request中值不能直接修改，所以对request使用装饰者模式，filter代码如下：

import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class XssFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);}@Overridepublic void destroy() {}}

其中XssHttpServletRequestWrapper类中使用了ESAPI，具体代码如下：

import java.util.regex.Pattern;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import org.owasp.esapi.ESAPI;public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {public XssHttpServletRequestWrapper(HttpServletRequest request) {super(request);}@Override    public String[] getParameterValues(String parameter) {        String[] values = super.getParameterValues(parameter);        if (values == null) {            return null;        }        int count = values.length;        String[] encodedValues = new String[count];        for (int i = 0; i < count; i++) {            encodedValues[i] = stripXSS(values[i]);        }        return encodedValues;    }    @Override    public String getParameter(String parameter) {        String value = super.getParameter(parameter);        return stripXSS(value);    }    @Override    public String getHeader(String name) {        String value = super.getHeader(name);        return stripXSS(value);    }    private String stripXSS(String value) {        if (value != null) {            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to            // avoid encoded attacks.            value = ESAPI.encoder().canonicalize(value);//注意：若前端使用get方式提交经过encodeURI的中文，此处会乱码            // Avoid null characters            value = value.replaceAll("", "");            // Avoid anything between script tags            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid anything in a src='...' type of expression            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // Remove any lonesome </script> tag            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // Remove any lonesome <script ...> tag            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid eval(...) expressions            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid expression(...) expressions            scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid javascript:... expressions            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid vbscript:... expressions            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid onload= expressions            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");        }        return value;    }    }

2. 过滤后台输出：

jsp页面有如下代码:<input name="id" value="${ id }" />

当用户输入参数如下： 0" onmouseover=alert(123)  bad=" ，filter不会对该字段做任何处理，但到页面上的时候input就会变为： <input name="id" value="0" onmouseover=alert(123)  bad="" /> 此时，输入框就被增加了一个onmouseover事件。

解决该问题的办法如下：在jsp页面上使用ESAPI对数据进行编码： <input name="id" value="<%=ESAPI.encoder().encodeForHTMLAttribute((String)request.getAttribute("id"))%>" /> ，此时input中数据会原样输出而不会被解析为onmouseover事件。

以上便是先有的解决xss的办法，如有更好的解决方案，还请高手指点一二