使用AntiSamy防止XSS攻擊
參考文檔:css
http://www.2cto.com/Article/201410/342040.htmlhtml
在web.xml中加上xml過濾器的配置java
<filter> <filter-name>XssFilter</filter-name> <filter-class>com.cy.frame.filter.XssFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>excludedPages</param-name> <param-value> *.js,*.gif,*.jpg,*.png,*.css,*.ico, /rest/*/saveOrUpdateRest,(這裏過濾你對應接口,防止要提交的內容帶有html元素。這裏的接口不會被xss攔截) </param-value> </init-param> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
XssFilterweb
package com.cy.frame.filter;
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;
/**
*
* <ol>XSS注入攔截
* <li>{@link }</li>
* </ol>
* @see
* @author wanghui
* @since 1.0
* @2016年3月14日
*
*/
public class XssFilter implements Filter {
/**
* 須要排除的頁面
*/
private String excludedPages;
private String[] excludedPageArray;
@SuppressWarnings("unused")
private FilterConfig filterConfig;
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
boolean isExcludedPage = false;
HttpServletRequest request2 = (HttpServletRequest) request;
//判斷是否須要XSS攻擊防禦
isExcludedPage = isMatchUrl(excludedPageArray, request2) ;
if (isExcludedPage) {
chain.doFilter(request, response);
} else {
chain.doFilter(new XssRequestWrapper(request2), response);
}
}
/**
* 自定義過濾規則
*/
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
excludedPages = filterConfig.getInitParameter("excludedPages");
excludedPageArray = new String[] {};
if (StringUtils.isNotEmpty(excludedPages)) {
excludedPageArray = excludedPages.replaceAll("[\\s]", "")
.split(",");
}
}
/**
* URL是否符合規則列表
* @param patterns
* @param request
* @return
*/
public static boolean isMatchUrl(String[] patterns, HttpServletRequest request) {
String ctx_path = request.getContextPath();
String request_uri = request.getRequestURI();
String action = request_uri.substring(ctx_path.length()).replaceAll("//", "/");
return PatternMatchUtils.simpleMatch(patterns, action);
}
/**
*
* <ol>裝飾器模式增強request處理
* <li>{@link }</li>
*
* </ol>
* @see
* @author wanghui
* @since 1.0
* @2016年3月14日
*
*/
static class XssRequestWrapper extends HttpServletRequestWrapper {
private static Policy policy = null;
static {
try {
policy = Policy.getInstance( XssRequestWrapper.class.getClassLoader()
.getResourceAsStream("antisamy-anythinggoes.xml"));
} catch (PolicyException e) {
}
}
public XssRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
@SuppressWarnings("rawtypes")
public Map<String, String[]> getParameterMap() {
Map<String, String[]> request_map = super.getParameterMap();
Iterator iterator = request_map.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry me = (Map.Entry) iterator.next();
String[] values = (String[]) me.getValue();
for (int i = 0; i < values.length; i++) {
values[i] = xssClean(values[i]);
}
}
return request_map;
}
@Override
public String[] getParameterValues(String paramString) {
String[] arrayOfString1 = super.getParameterValues(paramString);
if (arrayOfString1 == null)
return null;
int i = arrayOfString1.length;
String[] arrayOfString2 = new String[i];
for (int j = 0; j < i; j++)
arrayOfString2[j] = xssClean(arrayOfString1[j]);
return arrayOfString2;
}
@Override
public String getParameter(String paramString) {
String str = super.getParameter(paramString);
if (str == null)
return null;
return xssClean(str);
}
@Override
public String getHeader(String paramString) {
String str = super.getHeader(paramString);
if (str == null)
return null;
return xssClean(str);
}
private String xssClean(String value) {
AntiSamy antiSamy = new AntiSamy();
try {
// CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath);
final CleanResults cr = antiSamy.scan(value, policy);
// 安全的HTML輸出
return cr.getCleanHTML() ;
} catch (ScanException e) {
} catch (PolicyException e) {
}
return value;
}
}
}
配置文件(antisamy-anythinggoes.xml下載地址)安全
https://yunpan.cn/cBk3ZhvSC8DJw 訪問密碼 1cb6app
相關依賴jarxss
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
<version>1.5.3</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy-sample-configs</artifactId>
<version>1.5.3</version>
<scope>compile</scope>
</dependency>
相關文章
- 1. 使用antisamy防止xss注入
- 2. AntiSamy解決XSS攻擊
- 3. Java中使用AntiSamy開源項目防禦XSS攻擊
- 4. 如何防止xss攻擊
- 5. Xss攻擊與防止
- 6. java 防止xss攻擊
- 7. 如何防止XSS攻擊?
- 8. JavaWeb之防止XSS攻擊
- 9. 【轉】Laravel 防止XSS攻擊
- 10. 什麼XSS攻擊?PHP防止XSS攻擊函數
- 更多相關文章...
- • 防止使用TCP協議掃描端口 - TCP/IP教程
- • 使用TCP協議檢測防火牆 - TCP/IP教程
- • Composer 安裝與使用
- • 使用Rxjava計算圓周率
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 使用antisamy防止xss注入
- 2. AntiSamy解決XSS攻擊
- 3. Java中使用AntiSamy開源項目防禦XSS攻擊
- 4. 如何防止xss攻擊
- 5. Xss攻擊與防止
- 6. java 防止xss攻擊
- 7. 如何防止XSS攻擊?
- 8. JavaWeb之防止XSS攻擊
- 9. 【轉】Laravel 防止XSS攻擊
- 10. 什麼XSS攻擊?PHP防止XSS攻擊函數