java防止XSS注入的实用工具

XSS注入是数据写入数据库之前的必做操作,否则任由用户输入,则可导致数据库数据的注入,轻者影响数据展示,重者早造成数据库崩溃

下面是项目中经常用到的处理XSS的实用方法

/** 
 * @author  李光光(编码小王子)
 * @date    2016年5月23日 下午5:24:39 
 * @version 1.0   
 */
public class StringUtil {

	
	/**
	 * 主要筛选过滤 script javascript alert
	 * */
	public static String preventXss(String sourceStr){
		if(StringUtils.isBlank(sourceStr)){
			return sourceStr;
		}
		sourceStr = sourceStr.replaceAll("(?i)javascript", "javascri pt");
		sourceStr = sourceStr.replaceAll("(?i)", ">");
		sourceStr = sourceStr.replaceAll("(?i)img", "im g");
		sourceStr = sourceStr.replaceAll("(?i)applet", "appl et");
		sourceStr = sourceStr.replaceAll("(?i)blink", "bli nk");
		sourceStr = sourceStr.replaceAll("(?i)frameset", "fra mes et");
		sourceStr = sourceStr.replaceAll("(?i)iframe", "ifra me");
		sourceStr = sourceStr.replaceAll("(?i)object", "obje ct");
		sourceStr = sourceStr.replaceAll("(?i)base", "ba se");
		sourceStr = sourceStr.replaceAll("(?i)body", "bo dy");
		sourceStr = sourceStr.replaceAll("(?i)head", "hea d");
		sourceStr = sourceStr.replaceAll("(?i)layer", "lay er");
		sourceStr = sourceStr.replaceAll("(?i)style", "styl e");
		sourceStr = sourceStr.replaceAll("(?i)basefont", "basefo nt");
		sourceStr = sourceStr.replaceAll("(?i)embed", "emb ed");
		sourceStr = sourceStr.replaceAll("(?i)html", "htm l");
		sourceStr = sourceStr.replaceAll("(?i)link", "lin k");
		sourceStr = sourceStr.replaceAll("(?i)title", "tit le");
		sourceStr = sourceStr.replaceAll("(?i)bgsound", "bgsou nd");
		sourceStr = sourceStr.replaceAll("(?i)frame", "fra me");
		sourceStr = sourceStr.replaceAll("(?i)ilayer", "ilay er");
		sourceStr = sourceStr.replaceAll("(?i)meta", "me ta");
		//HTML标签属性中需要过滤的字符
		sourceStr = sourceStr.replaceAll("(?i)dynsrc", "dyns rc");
		sourceStr = sourceStr.replaceAll("(?i)src", "sr c");
		sourceStr = sourceStr.replaceAll("(?i)action", "acti on");
		sourceStr = sourceStr.replaceAll("(?i)href", "hre f");
		sourceStr = sourceStr.replaceAll("(?i)background", "backgrou nd");
		sourceStr = sourceStr.replaceAll("(?i)lowsrc", "lowsr c");
		sourceStr = sourceStr.replaceAll("(?i)value", "valu e");
		sourceStr = sourceStr.replaceAll("(?i)onmouse", "onmou se");
		//其他协议中可能用到的关键字需要过滤的字符
		sourceStr = sourceStr.replaceAll("(?i)vbscript:", "vbscri pt:");
		sourceStr = sourceStr.replaceAll("(?i)ms-its:", "ms-i ts:");
		sourceStr = sourceStr.replaceAll("(?i)firefoxurl:", "firefoxu rl:");
		sourceStr = sourceStr.replaceAll("(?i)javascript:", "javascri pt:");
		sourceStr = sourceStr.replaceAll("(?i)mhtml:", "mht ml:");
		sourceStr = sourceStr.replaceAll("(?i)mocha:", "moch a:");
		sourceStr = sourceStr.replaceAll("(?i)data:", "dat a:");
		sourceStr = sourceStr.replaceAll("(?i)livescript:", "livescri pt:");
		return sourceStr;
	}
	
}

可以使用下面的方式来调用

String clearData = StringUtil.preventXss(dirtyData);