jsp过滤非法字符输入防止XSS跨站攻击

墨蓝 2022-06-17 01:24 281阅读 0赞

一。写一个过滤器

代码如下：

package com.liufeng.sys.filter;

import java.io.IOException;

import java.io.PrintWriter;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

public class IllegalCharacterFilter implements Filter \{

private String\[\] characterParams = null;

private boolean OK=true;

public void destroy() \{

// TODO Auto-generated method stub

/\*\*

\* 此程序块主要用来解决参数带非法字符等过滤功能

\*/

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain arg2) throws IOException, ServletException \{

HttpServletRequest servletrequest = (HttpServletRequest) request;

HttpServletResponse servletresponse = (HttpServletResponse) response;

boolean status = false;

java.util.Enumeration params = request.getParameterNames();

String param="";

String paramValue = "";

servletresponse.setContentType("text/html");

servletresponse.setCharacterEncoding("utf-8");

while (params.hasMoreElements()) \{

param = (String) params.nextElement();

String\[\] values = request.getParameterValues(param);

paramValue = "";

if(OK)\{//过滤字符串为0个时 不对字符过滤

for (int i = 0; i < values.length; i++)

paramValue=paramValue+values\[i\];

for(int i=0;i<characterParams.length;i++)

if (paramValue.indexOf(characterParams\[i\]) >= 0) \{

status = true;

break; www.2cto.com

if(status)break;

//   System.out.println(param+"="+paramValue+";");

if (status) \{

PrintWriter out = servletresponse.getWriter();

out

.print("<script language='javascript'>alert(\\"对不起！您输入内容含有非法字符。如：\\\\\\"'\\\\\\".等\\");"

// + servletrequest.getRequestURL()

+ "window.history.go(-1);</script>");

\}else

arg2.doFilter(request, response);

public void init(FilterConfig config) throws ServletException \{

if(config.getInitParameter("characterParams").length()<1)

OK=false;

else

this.characterParams = config.getInitParameter("characterParams").split(",");

二。在web.xml文件中加入如下内容：

<filter-name>IllegalCharacterFilter</filter-name>

<filter-class>

com.liufeng.sys.filter.IllegalCharacterFilter

</filter-class>

<init-param>

<param-name>characterParams</param-name>

<param-value>',@</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>IllegalCharacterFilter</filter-name>

<url-pattern>/\*</url-pattern>

</filter-mapping>

重启你的服务器就OK了。

这样，增加此过滤器后能提高网站的安全，防止SQL注入，防止跨站脚本XSS等。

转载 ：http://www.2cto.com/article/201212/174976.html

jsp过滤非法字符输入防止XSS跨站攻击

发表评论取消回复

还没有评论，来说两句吧...

相关阅读

相关 XSS(跨站脚本)攻击与预防

相关什么是跨站脚本攻击（XSS）？如何防止它？

相关防止Xss攻击

相关 jsp过滤非法字符输入防止XSS跨站攻击

相关 XSS跨站脚本攻击

相关 XSS(跨站脚本攻击)漏洞

相关 SpringMVC 跨站脚本攻击防护（防止XSS攻击）

相关 A3 跨站脚本攻击 XSS

相关 XSS（跨站脚本攻击）攻击与防御

相关 XSS跨站脚本攻击