Servlet Filter 技术防止XSS攻击的过滤器例子

2019-11-06 08:37:34

字体：大中小

来源：转载

供稿：网友

import java.io.IOException;import java.util.regex.Pattern;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class ParkingXssFilter implements Filter { FilterConfig filterConfig = null; public final String MOBILE_REG = "/pms/mobile///w{1,}.action"; public final String ALipAY_REG = "/pms/fuwuchuang///w{1,}.action"; public final String WEIXIN_REG = "/pms/weixin///w{1,}.action"; public final String REMOTE_REG = "/pms/parkRemoteService///w{1,}.action"; PRivate final Pattern PATTERN_MOBILE = Pattern.compile(MOBILE_REG); private final Pattern PATTERN_ALIPAY = Pattern.compile(ALIPAY_REG); private final Pattern PATTERN_WEIXIN = Pattern.compile(WEIXIN_REG); private final Pattern PATTERN_REMOTE = Pattern.compile(REMOTE_REG); /** * Default constructor. */ public ParkingXssFilter() { } /** * @see Filter#destroy() */ public void destroy() { this.filterConfig = null; } /** * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String requestUrl = ((HttpServletRequest) request).getRequestURI(); //某些特殊接口跳转不需要被跨脚本工具处理 if(PATTERN_MOBILE.matcher(requestUrl).matches() || PATTERN_ALIPAY.matcher(requestUrl).matches() || PATTERN_WEIXIN.matcher(requestUrl).matches() || PATTERN_REMOTE.matcher(requestUrl).matches()){ chain.doFilter(request, response); }else{ chain.doFilter(new ParkingXssHttpServletRequestWrapper((HttpServletRequest) request), response); } } /** * @see Filter#init(FilterConfig) */ public void init(FilterConfig fConfig) throws ServletException { this.filterConfig = fConfig; }}///////////////////////////////////////////////////////////import java.util.regex.Pattern;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;public class ParkingXssHttpServletRequestWrapper extends HttpServletRequestWrapper{ public ParkingXssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) { return null; } return cleanXSS(value); } public String getHeader(String name) { String value = super.getHeader(name); if (value == null){ return null; } return cleanXSS(value); } private String cleanXSS(String value) { // You'll need to remove the spaces from the html entities below /*try { value = URLDecoder.decode(value, "UTF-8"); } catch (UnsupportedEncodingException e) { PmsLogRecord.logException(e); }*/ value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("//(", "(").replaceAll("//)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval//((.*)//)", ""); // Avoid null characters value = value.replaceAll("", ""); // Avoid anything between script tags Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid anything in a src='...' type of expression scriptPattern = Pattern.compile("src[/r/n]*=[/r/n]*///'(.*?)///'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); scriptPattern = Pattern.compile("src[/r/n]*=[/r/n]*///"(.*?)///"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome </script> tag scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Remove any lonesome <script ...> tag scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid eval(...) expressions scriptPattern = Pattern.compile("eval//((.*?)//)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid expression(...) expressions scriptPattern = Pattern.compile("expression//((.*?)//)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); // Avoid Javascript:... expressions scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); value = scriptPattern.matcher(value).replaceAll(""); // Avoid onload= expressions scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); value = scriptPattern.matcher(value).replaceAll(""); return value;//StringEscapeUtils.escapeHtml4(value); }}

上一篇：结构体的点与杆箭头

下一篇：PAT-A 1075. PAT Judge (25)