亲测有效的几种fortify扫描安全漏洞的解决方案

1、Header Manipulation:过滤请求头中的参数

 

public static String getFilePath(String path){

String regex = "[`~!@#$%^&*()\\+\\=||{}|:\"?><【】\\/r\\/n]";

Pattern pa = new Pattern.compile(regex);

Matcher ma = pa.matcher(path);

if(ma.find()){

path = ma.replaceAll("").trim();

}

path = path.replace("\\","/");

path = pathj.replace("../","");

return path;

}

 

2、Cross-Site Scripting:

 

（1）Reflected:由于这个错误java和jsp中都有，附上公共java方法和公共js方法中的代码

java:

final static List<String> list = new ArrayList<~>();

static{

list.add("<");

list.add(">");

list.add("(");

list.add(")");

list.add("&");

list.add("?");

list.add(";");

}

public static String Filter(String output){

String encode = Normalizer.normalize(output,Normalizer.Form.NFKC);

for(int i=;i<list.size();i++){

encode = encode.replace(list.get(i),"");

}

return encode

}

 

js:

charFilter(str:String){

let charArray = ["<",">","(",")","&","?",";"];

let encode = str.normalize("NFKC");

for(let i=0;i<charArray.length;i++){

encode = encode.replace(charArray[i],"");

}

return encode;

}