跨站点脚本攻击

跨站点脚本攻击的过滤

pom.xml 添加:
org.owasp.antisamy
antisamy
1.4.4

web.xml添加过滤:
AntiSamyFilter
com.c2bcms.app.filter.AntiSamyFilter
excludedPages
/resources
AntiSamyFilter
/*


com.c2bcms.app.filter.AntiSamyFilter文件地址:
package com.c2bcms.app.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import com.c2bcms.app.components.safety.AntiSamyHttpServletRequestWrapper;

public class AntiSamyFilter implements Filter {
FilterConfig filterConfig = null;

public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}

public void destroy() {
this.filterConfig = null;
}
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest request = (HttpServletRequest) req;
String requestUri = request.getRequestURI();
AntiSamyHttpServletRequestWrapper requestW = new AntiSamyHttpServletRequestWrapper(request);
chain.doFilter(requestW, res);
}
}

AntiSamyHttpServletRequestWrapper 调用文件:

package com.c2bcms.app.components.safety;
import java.io.UnsupportedEncodingException;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;

public class AntiSamyHttpServletRequestWrapper extends HttpServletRequestWrapper {

private static Policy policy = null;
static{
//String path = URLUtility.getClassPath(XssRequestWrapper.class)+File.separator+"antisamy-anythinggoes-1.4.4.xml";
String path =AntiSamyHttpServletRequestWrapper.class.getClassLoader().getResource("antisamy.xml").getFile();
try {
path = java.net.URLDecoder.decode(path ,"UTF-8");
} catch (UnsupportedEncodingException e1) {
e1.printStackTrace();
}
System.out.println(path);
if(path.startsWith("file")){
path = path.substring(6);
}
try {
// policy = Policy.getInstance(ClassLoader.getSystemResourceAsStream("antisamy.xml"));
policy = Policy.getInstance(path);
} catch (PolicyException e) {
e.printStackTrace();
}
}
public AntiSamyHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@SuppressWarnings("rawtypes")
public Map getParameterMap(){
Map request_map = super.getParameterMap();
Iterator iterator = request_map.entrySet().iterator();
System.out.println("request_map"+request_map.size());
while(iterator.hasNext()){
Map.Entry me = (Map.Entry)iterator.next();
//System.out.println(me.getKey()+":");
String[] values = (String[])me.getValue();
for(int i = 0 ; i < values.length ; i++){
System.out.println(values[i]);
values[i] = xssClean(values[i]);
}
}
return request_map;
}
public String[] getParameterValues(String paramString)
{
String[] arrayOfString1 = super.getParameterValues(paramString);
if (arrayOfString1 == null)
return null;
int i = arrayOfString1.length;
String[] arrayOfString2 = new String[i];
for (int j = 0; j < i; j++)
arrayOfString2[j] = xssClean(arrayOfString1[j]);
return arrayOfString2;
}
public String getParameter(String paramString)
{
String str = super.getParameter(paramString);
if (str == null)
return null;
return xssClean(str);
}
public String getHeader(String paramString)
{
String str = super.getHeader(paramString);
if (str == null)
return null;
return xssClean(str);
}
private String xssClean(String value) {
AntiSamy antiSamy = new AntiSamy();
try {
//CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath);
//String str = StringEscapeUtils.unescapeHtml(value);
//value = java.net.URLDecoder.decode(value);
final CleanResults cr = antiSamy.scan(value, policy);
//安全的HTML输出
return cr.getCleanHTML();
} catch (ScanException e) {
e.printStackTrace();
} catch (PolicyException e) {
e.printStackTrace();
}
return value;
}
}
然后添加antisamy.xml文件

你可能感兴趣的:(跨站点脚本攻击)