java解决xss攻击
以下是一个简单的Java Filter代码段,可以用于防止XSS攻击:
import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.IOException; public class XSSFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new RequestWrapper((HttpServletRequest) request), response); } private static class RequestWrapper extends HttpServletRequestWrapper { public RequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); } @Override public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } @Override public String getParameter(String parameter) { String value = super.getParameter(parameter); return cleanXSS(value); } private String cleanXSS(String value) { if (value == null) { return null; } value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("\\(", "(").replaceAll("\\)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("script", ""); return value; } } public void init(FilterConfig filterConfig) {} public void destroy() {} }
该过滤器将HttpServletRequest包装在内部类RequestWrapper中,并覆盖了getParameter()和getParameterValues()方法。在这些方法中,我们先调用父类的相应方法获取原始参数值,然后使用cleanXSS()方法来清除所有潜在的XSS代码。 在cleanXSS()方法中,我们使用正则表达式来移除各种类型的潜在恶意代码,例如“<script>”标签、括号、单引号、双引号等。
浙公网安备 33010602011771号