java請求URL帶參之防XSS攻擊
1.web.xml新增filter配置javascript
<!-- URL請求參數字符過濾或合法性校驗 -->
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.isoftstone.ifa.web.base.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
2.新增com.isoftstone.ifa.web.base.filter.XssFilter XssFilter.class類,(注:路徑要正確)java
package com.isoftstone.ifa.web.base.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; public class XssFilter implements Filter { FilterConfig filterConfig = null; @Override public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //對請求進行攔截,防xss處理 chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); } @Override public void destroy() { this.filterConfig = null; } }
3.新增XssHttpServletRequestWrapper攔截過濾class類web
package com.isoftstone.ifa.web.base.filter; import java.util.regex.Pattern; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private static final Logger logger = LoggerFactory .getLogger(XssHttpServletRequestWrapper.class); public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } /** * 對數組參數進行特殊字符過濾 */ @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if (values != null) { int length = values.length; String[] escapseValues = new String[length]; for (int i = 0; i < length; i++) { escapseValues[i] = escapeHtml4(values[i]); } return escapseValues; } return super.getParameterValues(name); } @Override public String getQueryString() { return escapeHtml4(super.getQueryString()); } /** * 對參數中特殊字符進行過濾 */ @Override public String getParameter(String name) { return escapeHtml4(super.getParameter(name)); } /** * 對請求頭部進行特殊字符過濾 */ @Override public String getHeader(String name) { return escapeHtml4(super.getHeader(name)); } public static String escapeHtml4(String value) { if (StringUtils.isNotBlank(value)) { // 避免script 標籤 Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免src形式的表達式 scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 刪除單個的 </script> 標籤 scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 刪除單個的<script ...> 標籤 scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 eval(...) 形式表達式 scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 expression(...) 表達式 scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 javascript: 表達式 scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免 vbscript:表達式 scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // 避免 onload= 表達式 scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 onmouseover= 表達式 scriptPattern = Pattern.compile("onmouseover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 onfocus= 表達式 scriptPattern = Pattern.compile("onfocus(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // 避免 onerror= 表達式 scriptPattern = Pattern.compile("onerror(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); //移除特殊標籤 value = value.replaceAll("<", "<").replaceAll(">", ">"); } return value; } public static void main(String[] args) { String value = "&receiveCellphone=13888888888&receiveEmail=ssssss%40qq.com\"/><img/src=1 onclick=alert(document.cookie)>&"; System.out.println("===:"+escapeHtml4(value)); } }
相關文章
- 1. java 防止xss攻擊
- 2. JavaWeb之防止XSS攻擊
- 3. xss攻擊防範
- 4. 防範XSS攻擊
- 5. SpringBoot防XSS攻擊
- 6. PHP 防xss攻擊
- 7. 跨站請求攻擊 XSS與CRSF
- 8. XSS攻擊和CSRF攻擊與防範
- 9. XSS攻擊與防護
- 10. XSS、CSRF攻擊與防範
- 更多相關文章...
- • HTTP 請求方法 - HTTP 教程
- • 發送ICMP時間戳請求 - TCP/IP教程
- • 爲了進字節跳動,我精選了29道Java經典算法題,帶詳細講解
- • Java 8 Stream 教程
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. java 防止xss攻擊
- 2. JavaWeb之防止XSS攻擊
- 3. xss攻擊防範
- 4. 防範XSS攻擊
- 5. SpringBoot防XSS攻擊
- 6. PHP 防xss攻擊
- 7. 跨站請求攻擊 XSS與CRSF
- 8. XSS攻擊和CSRF攻擊與防範
- 9. XSS攻擊與防護
- 10. XSS、CSRF攻擊與防範