XSS漏洞防护
2024-09-02 14:22:01
主要是添加黑名单进行拦截
public class XSSFilter implements Filter {
private final Log logger = LogFactory.getLog(XSSFilter.class); // XSS处理Map
private static Map<String,String> xssMap = new HashMap<String,String>();
public void init(FilterConfig filterConfig) throws ServletException { // 含有脚本: script
xssMap.put("[s|S][c|C][r|R][i|C][p|P][t|T]", ""); /*16进制的javascript : 6a617661736372697074
(\\\\x6a|\\\\x4a) 表示的正则含义为 (\x6a|\x4a)
*/
xssMap.put("((\\\\x6a|\\\\x4a)(\\\\x61|\\\\x41)(\\\\x76|\\\\x56)(\\\\x61|\\\\x41)(\\\\x73|\\\\x53)|(\\\\x63|\\\\x43)(\\\\x72|\\\\x52)(\\\\x69|\\\\x49)(\\\\x70|\\\\x50)(\\\\x74|\\\\x54))", ""); /*16进制的script : 736372697074
(\\\\x6a|\\\\x4a) 表示的正则含义为 (\x6a|\x4a)
*/
xssMap.put("((\\\\x73|\\\\x53)|(\\\\x63|\\\\x43)(\\\\x72|\\\\x52)(\\\\x69|\\\\x49)(\\\\x70|\\\\x50)(\\\\x74|\\\\x54))", ""); // 含有脚本 javascript
xssMap.put("[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']", "\"\""); // 含有函数: eval
xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", ""); // 含有符号 (
xssMap.put("\\(", "("); // 含有符号 )
xssMap.put("\\)", ")"); } public void destroy() { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request , xssMap), response);
}
}
Filter
package com.ulic.misp.wx.oauth2; import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper; import com.ulic.misp.pub.framework.log.Log;
import com.ulic.misp.pub.framework.log.LogFactory; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { private final Log logger = LogFactory.getLog(XssHttpServletRequestWrapper.class);
private Map<String, String> xssMap; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } public XssHttpServletRequestWrapper(HttpServletRequest request, Map<String, String> xssMap) { super(request); this.xssMap = xssMap; } @Override
public String getQueryString() {
String queryString = super.getQueryString();
if(queryString==null){
return null;
}
queryString = cleanXSS(queryString);
logger.info("queryString :{}",queryString);
return queryString;
} @Override
public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; // 遍历每一个参数,检查是否含有 String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } @Override public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) { return null; } return cleanXSS(value); } public String getHeader(String name) { String value = super.getHeader(name); if (value == null) return null; return cleanXSS(value); } /**
*
* 清除恶意的XSS脚本
*
*
*
* @param value
*
* @return
*
*/ private String cleanXSS(String value) { Set<String> keySet = xssMap.keySet(); for (String key : keySet) { String v = xssMap.get(key); value = value.replaceAll(key, v); }
return value; }
}
重写请求的一些处理
最新文章
- java web学习总结(十九) -------------------监听器简单使用场景
- marquee 实现首尾相连循环滚动效果
- 关于/etc/hosts文件
- 学习jQuery的on事件
- TCP/IP协议栈与数据包封装+TCP与UDP区别
- Django中国|Django中文社区——python、django爱好者交流社区
- PHP 5.6启动失败failed to open configuration file &#39;/usr/local/php/etc/php-fpm.conf&#39;
- UITableView 属性集合
- Struts开发问题集锦
- hdu 1531	King
- App Extensions篇之Share Extension
- eclipse项目中引入shiro-freemarker-tags会jar包冲突
- Unity备份占时留用
- SQL数据库约束、默认和规则
- 【转】Python数据类型之“数字(numerics)”
- [转载]基于UML的需求分析和系统设计(完整案例和UML图形演示)
- React中jquery引用
- java.util.zip.ZipException: duplicate entry(重复依赖多版本的类库)
- CPU和线程的关系
- Android中检测字符编码(GB2312,ASCII,UTF8,UNICODE,TOTAL——ENCODINGS)方法(二)
热门文章
- pip安装第三方库报错Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None))...
- python 类和对象上
- 对象与json字符串相互转化
- 爬虫-ajax请求遇到Unicode编码问题
- windows10图形化连接CentOS7
- 【记录】Mybatis-Generator 数据层代码生成器,自动生成dao类,mapper,pojo类
- linux c 链接详解2-定义和声明
- 虚拟机复制的linux无法联网,解决Bringing up interface eth0: Device eth0 does not seem to be present, delaying initialization.
- 第12篇Kubernetes 监控
- Java缓冲流的优点和原理