XSS漏洞解决方案之一:过滤器

一:web.xml文件

 
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<!-- 解决xss漏洞 --> 
   < filter
     < filter-name >xssFilter</ filter-name
      < filter-class >com.baidu.rigel.sandbox.core.filter.XSSFilter</ filter-class
   </ filter
   
   <!-- 解决xss漏洞 --> 
   < filter-mapping
     < filter-name >xssFilter</ filter-name
     < url-pattern >/*</ url-pattern
   </ filter-mapping
 
   <!-- 解决xss漏洞 -->
   < filter >
     < filter-name >xssFilter</ filter-name >
      < filter-class >com.baidu.rigel.sandbox.core.filter.XSSFilter</ filter-class >
   </ filter >
 
   <!-- 解决xss漏洞 -->
   < filter-mapping >
     < filter-name >xssFilter</ filter-name >
     < url-pattern >/*</ url-pattern >
   </ filter-mapping >

 

 
 
 
 
二:过滤器:XSSFilter.java
 
 
 
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
package com.rigel.sandbox.core.filter; 
   
import java.io.IOException; 
   
import javax.servlet.Filter; 
import javax.servlet.FilterChain; 
import javax.servlet.FilterConfig; 
import javax.servlet.ServletException; 
import javax.servlet.ServletRequest; 
import javax.servlet.ServletResponse; 
import javax.servlet.http.HttpServletRequest; 
   
import com.rigel.sandbox.core.util.XssHttpServletRequestWrapper; 
   
public class XSSFilter implements Filter { 
   
     @Override 
     public void init(FilterConfig filterConfig) throws ServletException { 
    
   
     @Override 
     public void doFilter(ServletRequest request, ServletResponse response, 
             FilterChain chain) throws IOException, ServletException { 
   
         XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( 
                 (HttpServletRequest) request); 
         chain.doFilter(xssRequest, response); 
    
   
     @Override 
     public void destroy() { 
    
   
 
package com.rigel.sandbox.core.filter;
 
import java.io.IOException;
 
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
 
import com.rigel.sandbox.core.util.XssHttpServletRequestWrapper;
 
public class XSSFilter implements Filter {
 
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
 
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
 
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
chain.doFilter(xssRequest, response);
}
 
@Override
public void destroy() {
}
 
}

 

 
 
 
 
 
 
 
三:包装器:XssHttpServletRequestWrapper.java
 
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
package com.rigel.sandbox.core.util; 
   
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletRequestWrapper; 
   
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { 
     HttpServletRequest orgRequest = null
   
     public XssHttpServletRequestWrapper(HttpServletRequest request) { 
         super (request); 
         orgRequest = request; 
    
   
     /**
      * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
      * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
      * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
      */ 
     @Override 
     public String getParameter(String name) { 
         String value = super .getParameter(xssEncode(name)); 
         if (value != null ) { 
             value = xssEncode(value); 
        
         return value; 
    
   
     /**
      * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
      * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
      * getHeaderNames 也可能需要覆盖
      */ 
     @Override 
     public String getHeader(String name) { 
   
         String value = super .getHeader(xssEncode(name)); 
         if (value != null ) { 
             value = xssEncode(value); 
        
         return value; 
    
   
     /**
      * 将容易引起xss漏洞的半角字符直接替换成全角字符
     
      * @param s
      * @return
      */ 
     private static String xssEncode(String s) { 
         if (s == null || s.isEmpty()) { 
             return s; 
        
         StringBuilder sb = new StringBuilder(s.length() + 16 ); 
         for ( int i = 0 ; i < s.length(); i++) { 
             char c = s.charAt(i); 
             switch (c) { 
             case '>'
                 sb.append( ">" ); // 转义大于号  
                 break
             case '<'
                 sb.append( "<" ); // 转义小于号  
                 break
             case '\''
                 sb.append( "'" ); // 转义单引号  
                 break
             case '\"'
                 sb.append( "" "); // 转义双引号  
                 break
             case '&'
                 sb.append( "&" ); // 转义&  
                 break
             default
                 sb.append(c); 
                 break
            
        
         return sb.toString(); 
    
   
     /**
      * 获取最原始的request
     
      * @return
      */ 
     public HttpServletRequest getOrgRequest() { 
         return orgRequest; 
    
   
     /**
      * 获取最原始的request的静态方法
     
      * @return
      */ 
     public static HttpServletRequest getOrgRequest(HttpServletRequest req) { 
         if (req instanceof XssHttpServletRequestWrapper) { 
             return ((XssHttpServletRequestWrapper) req).getOrgRequest(); 
        
   
         return req; 
    
}

 原文地址:http://www.2cto.com/Article/201309/247100.html

你可能感兴趣的:(XSS漏洞解决方案之一:过滤器)