防止Xss攻击

- 日理万妓 2023-07-05 05:29 105阅读 0赞

原理:通过过滤request请求的paramer进行处理。

1,编写xssFilter类,

  1. public class XssFilter implements Filter {
  3.     FilterConfig filterConfig = null;
  5.     private List<String> urlExclusion = null;
  7.     public void init(FilterConfig filterConfig) throws ServletException {
  8.         this.filterConfig = filterConfig;
  9.     }
  11.     public void destroy() {
  12.         this.filterConfig = null;
  13.     }
  15.     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
  16.         HttpServletRequest httpServletRequest = (HttpServletRequest) request;
  17.         String servletPath = httpServletRequest.getServletPath();
  19.         if (urlExclusion != null && urlExclusion.contains(servletPath)) {
  20.             chain.doFilter(request, response);
  21.         } else {
  22.             chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
  23.         }
  24.     }
  26.     public List<String> getUrlExclusion() {
  27.         return urlExclusion;
  28.     }
  30.     public void setUrlExclusion(List<String> urlExclusion) {
  31.         this.urlExclusion = urlExclusion;
  32.     }

2,通过XssHttpServletRequestWrapper过滤url

  1. public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
  3.     public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
  5.         super(servletRequest);
  7.     }
  9.     public String[] getParameterValues(String parameter) {
  11.         String[] values = super.getParameterValues(parameter);
  13.         if (values == null) {
  15.             return null;
  17.         }
  19.         int count = values.length;
  21.         String[] encodedValues = new String[count];
  23.         for (int i = 0; i < count; i++) {
  25.             encodedValues[i] = cleanXSS(values[i]);
  27.         }
  29.         return encodedValues;
  31.     }
  33.     public String getParameter(String parameter) {
  35.         String value = super.getParameter(parameter);
  37.         if (value == null) {
  39.             return null;
  41.         }
  43.         return cleanXSS(value);
  45.     }
  47.     public String getHeader(String name) {
  49.         String value = super.getHeader(name);
  51.         if (value == null)
  53.             return null;
  55.         return cleanXSS(value);
  57.     }
  59.     private String cleanXSS(String value) {
  61.         //You'll need to remove the spaces from the html entities below
  63.         value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
  65.         value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
  67.         value = value.replaceAll("'", "& #39;");
  69.         value = value.replaceAll("eval\\((.*)\\)", "");
  71.         value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
  73.         value = value.replaceAll("script", "");
  75.         return value;
  77.     }
  80. }

3,注入spring中

  1. /**
  2.      * xssFilter注册
  3.      */
  4.     @Bean
  5.     public FilterRegistrationBean xssFilterRegistration() {
  6.         XssFilter xssFilter = new XssFilter();
  7.         // 这里可以加不被xss过滤的接口
  8.         //xssFilter.setUrlExclusion(Arrays.asList("/merchants/*"));
  9.         FilterRegistrationBean registration = new FilterRegistrationBean(xssFilter);
  10.         registration.addUrlPatterns("/*");  //这里的/*指拦截所有路径
  11.         return registration;
  12.     }

注:有参考guns开源框架的实现方案。感谢guns作者。

发表评论

表情:
评论列表 (有 0 条评论,105人围观)

还没有评论,来说两句吧...

相关阅读