Java Web XSS安全防御

阅读更多

        XSS攻击简单来讲就是攻击者在请求中巧妙地加上执行脚本，达到攻击的目的。实践过滤器方案和JSP的EL表达式+JSTL标签库方案都还可以达到防XSS攻击的目的。

一.过滤器方案

XSSFilter.java

package com.bijian.study.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;

/**
 * Servlet Filter implementation class XSSFilter
 */
@WebFilter("/XSSFilter")
public class XSSFilter implements Filter {
    
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void destroy() {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
            ServletException {

        chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
    }
}

XSSRequestWrapper.java

 

package com.bijian.study.filter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.lang.StringEscapeUtils;

public class XSSRequestWrapper extends HttpServletRequestWrapper {
    
    public XSSRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }

    @Override
    public String[] getParameterValues(String parameter) {
        
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = stripXSS(values[i]);
        }
        return encodedValues;
    }

    @Override
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        return stripXSS(value);
    }

    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        return stripXSS(value);
    }

    private String stripXSS(String value) {
        value = StringEscapeUtils.escapeHtml(value); 
        value = StringEscapeUtils.escapeJavaScript(value); 
        value = StringEscapeUtils.escapeSql(value);
        return value;
    }
}

web.xml中的配置

	XSSFilter
	com.bijian.study.filter.XSSFilter


	XSSFilter
	*.do


	XSSFilter
	*.jsp

 

二.JSP的EL表达式+JSTL标签库方案

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
	String path = request.getContextPath();
	String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + path + "/";
	String nameStr = request.getParameter("name");//用request得到
	request.setAttribute("nameAttr", nameStr);
%> 
   
   
   
	   
	   
   

    Hi,
	
   

 

XSS更详细的背景及方案，请参看：http://www.cnblogs.com/flyingeagle/articles/6746732.html

• SpringMVC.zip (9.2 MB)
• 下载次数: 3