java后台防止XSS的脚本攻击
2024-08-27 07:40:46
import java.util.regex.Pattern; //具体过滤关键字符
public class XSSUtil {
private static Pattern[] patterns = new Pattern[]{
// Script fragments
Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
// src='...'
Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// lonely script tags
Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// eval(...)
Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// expression(...)
Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// javascript:...
Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
// vbscript:...
Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
// onload(...)=...
Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
//现场安全测试增加校验
Pattern.compile("alert(.*?)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("<", Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile(">", Pattern.MULTILINE | Pattern.DOTALL)
}; public static String stripXSS(String value){
if (value != null) {
// TODO ESAPI library
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value); // Avoid null characters
value = value.replaceAll("\0", ""); // Remove all sections that match a pattern
for (Pattern scriptPattern : patterns){
value = scriptPattern.matcher(value).replaceAll("");
}
}
return value;
} public static void main(String[] args) {
System.out.println("11"+ XSSUtil.stripXSS("<img src=0 onerror=alert(1)>"));
// System.out.println(XSSUtil.stripXSS("<img src=0 onerror=alert(1)>"));
} }
import com.ideatech.common.util.XSSUtil;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder; import java.beans.PropertyEditorSupport; //每一个请求进入控制层之前会先进行字符过滤
@ControllerAdvice
@Component
@Slf4j
public class GlobalBindingInitializer { @InitBinder
protected void initBinder(WebDataBinder binder) {
// String类型转换,将所有传递进来的String进行HTML编码,防止XSS攻击
binder.registerCustomEditor(String.class, new PropertyEditorSupport() {
@Override
public void setAsText(String text) {
if(text != null){
String cleanText = XSSUtil.stripXSS(text);
if(!cleanText.equals(text)){
log.info("xss clean, before[{}], after[{}]",text,cleanText);
text = cleanText;
}
}
setValue(text);
}
@Override
public String getAsText() {
Object value = getValue();
return value != null ? value.toString() : "";
}
});
}
}
最新文章
- MVC 创建线程内的db单例
- Java多线程编程详解
- Android RecycleView + CardView 控件简析
- Java Core 学习笔记——3.char/Unicode/代码点/代码单元
- ie调试器
- 论文阅读:Siam-RPN
- jersey 用FastJson替换掉默认的Jackson
- SSM+MyBatis框架详解
- 深入理解Java类加载器(ClassLoader)
- FastReport.Net报表故障排除方法
- Find the Missing Number II
- SpringMVC系列(十二)自定义拦截器
- python 字体颜色的设置
- chrome 概述
- PHP 手机号中间4位加密
- key寻址算法
- HDU 2619 完全剩余类 原根
- JavaScript常用工具方法封装
- day36 爬虫+http请求+高性能
- Buildroot 外部编译器配置