Servlet Filter 技术防止XSS攻击的过滤器例子
来源:互联网 发布:备份与恢复软件 编辑:程序博客网 时间:2024/05/18 01:34
import java.io.IOException;import java.util.regex.Pattern;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class ParkingXssFilter implements Filter { FilterConfig filterConfig = null; public final String MOBILE_REG = "/pms/mobile/\\w{1,}.action"; public final String ALIPAY_REG = "/pms/fuwuchuang/\\w{1,}.action"; public final String WEIXIN_REG = "/pms/weixin/\\w{1,}.action"; public final String REMOTE_REG = "/pms/parkRemoteService/\\w{1,}.action"; private final Pattern PATTERN_MOBILE = Pattern.compile(MOBILE_REG); private final Pattern PATTERN_ALIPAY = Pattern.compile(ALIPAY_REG); private final Pattern PATTERN_WEIXIN = Pattern.compile(WEIXIN_REG); private final Pattern PATTERN_REMOTE = Pattern.compile(REMOTE_REG); /** * Default constructor. */ public ParkingXssFilter() { } /** * @see Filter#destroy() */ public void destroy() { this.filterConfig = null; } /** * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String requestUrl = ((HttpServletRequest) request).getRequestURI(); //某些特殊接口跳转不需要被跨脚本工具处理 if(PATTERN_MOBILE.matcher(requestUrl).matches() || PATTERN_ALIPAY.matcher(requestUrl).matches() || PATTERN_WEIXIN.matcher(requestUrl).matches() || PATTERN_REMOTE.matcher(requestUrl).matches()){ chain.doFilter(request, response); }else{ chain.doFilter(new ParkingXssHttpServletRequestWrapper((HttpServletRequest) request), response); } } /** * @see Filter#init(FilterConfig) */ public void init(FilterConfig fConfig) throws ServletException { this.filterConfig = fConfig; }}///////////////////////////////////////////////////////////import java.util.regex.Pattern;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;public class ParkingXssHttpServletRequestWrapper extends HttpServletRequestWrapper{ public ParkingXssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) { return null; } return cleanXSS(value); } public String getHeader(String name) { String value = super.getHeader(name); if (value == null){ return null; } return cleanXSS(value); } private String cleanXSS(String value) { // You'll need to remove the spaces from the html entities below /*try { value = URLDecoder.decode(value, "UTF-8"); } catch (UnsupportedEncodingException e) { PmsLogRecord.logException(e); }*/ value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("\\(", "(").replaceAll("\\)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval\\((.*)\\)", ""); // Avoid null characters value = value.replaceAll("", ""); // Avoid anything between script tags Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid anything in a src='...' type of expression scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome </script> tag scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid expression(...) expressions scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid javascript:... expressions scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid onload= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); return value;//StringEscapeUtils.escapeHtml4(value); }}
0 0
- Servlet Filter 技术防止XSS攻击的过滤器例子
- 防止XSS攻击Filter
- 字符过滤器和防止XSS攻击,SQL注入的过滤器
- 实用:防止SQL、XSS等注入攻击的Filter
- java 防止xss攻击 通过filter的方法
- java 防止xss攻击 通过filter的方法(推荐)
- 实用:防止SQL、XSS等注入攻击的Filter
- springMVC利用过滤器防止xss攻击
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- Laravel 5 中防止 XSS 跨站攻击的例子
- Laravel 5 中防止 XSS 跨站攻击的例子
- Filter:防止SQL注入和XSS攻击Filter
- Servlet的Filter过滤器
- Servlet的Filter过滤器
- 银行家算法
- 三星霸气垄断 OLED手机面板供不应求
- mysql在连接中删除root账号
- 欢迎使用CSDN-markdown编辑器
- java中常见的中文乱码总结
- Servlet Filter 技术防止XSS攻击的过滤器例子
- Apache配置同一IP使用多域名对应多个网站
- Eclipse下junit@Test出现Type mismatch: cannot convert from Test to Annotation错误
- python3生成csv文件的正确姿势
- jQuery实现点击元素以外的地方隐藏该元素
- 小白第一天
- 面试题:“你能不能谈谈,java GC是在什么时候,对什么东西,做了什么事情?”
- 双流网络行为识别-Spatiotemporal Residual Networks for Video Action Recognition-论文阅读
- 一起做剑指offer吧!