预防XSS攻击

开发时间 2016-03-02日

项目地点:深圳

开发人员 yekang

 

在web.xml中配置过滤器

 <!--  <filter>

  <filter-name>XSSFilter</filter-name>

  <filter-class> com.palic.elis.ceis.common.filter.XssFilter</filter-class>

 </filter>

 <filter-mapping>

  <filter-name>XSSFilter</filter-name> 

  <url-pattern>/*</url-pattern>

 </filter-mapping>   -->

 

创建类

package com.palic.elis.ceis.common.filter;

import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

public class XssFilter implements Filter {
 // XSS处理Map
 private static Map<String, String> xssMap = new LinkedHashMap<String, String>();

 @Override
 public void destroy() {
 }

 @Override
 public void doFilter(ServletRequest request, ServletResponse response,
   FilterChain chain) throws IOException, ServletException {
  // TODO Auto-generated method stub
  // 强制类型转换 HttpServletRequest
  HttpServletRequest httpReq = (HttpServletRequest) request;
  // 构造HttpRequestWrapper对象处理XSS
  HttpRequestWrapper httpReqWarp = new HttpRequestWrapper(httpReq, xssMap);
  //
  chain.doFilter(httpReqWarp, response);
 }

 @Override
 public void init(FilterConfig filterConfig) throws ServletException {
  // 含有脚本: script
  xssMap.put("[s|S][c|C][r|R][i|I][p|P][t|T]", "");
  // 含有脚本 javascript
  xssMap.put(
    "[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']",
    "\"\"");
  // 含有函数: eval
  xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", "");
  // 含有符号 <
  xssMap.put("<", "&lt;");
  // 含有符号 >
  xssMap.put(">", "&gt;");
  // 含有符号 (
  xssMap.put("\\(", "(");
  System.out.println("1111111111111");
  // 含有符号 )
  xssMap.put("\\)", ")");
  // 含有符号 '
  xssMap.put("'", "'");
  // 含有符号 "
  xssMap.put("\"", "\"");
  System.out.println("22222222222222");
 }
}

 

创建类

 

 

package com.palic.elis.ceis.common.filter;

import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public class HttpRequestWrapper extends HttpServletRequestWrapper {
 private Map<String, String> xssMap;

 
 public HttpRequestWrapper(HttpServletRequest Request) {
  super(Request);
 }

 public HttpRequestWrapper(HttpServletRequest request,
   Map<String, String> xssMap) {
  super(request);
  this.xssMap = xssMap;
 }

 @Override
 public String[] getParameterValues(String parameter) {
  
  String[] values = super.getParameterValues(parameter);
  if (values == null||values.length == 0) {
   return null;
  }
  // 遍历每一个参数,检查是否含有
  
  for (int i = 0; i < values.length; i++) {
   values[i] = cleanXSS(values[i]);
  }
  return values;
 }
 public String getParameter(String parameter) {
 
  String value = super.getParameter(parameter);
  if (value == null) {
   return null;
  }
  return cleanXSS(value);

 }

 public String getHeader(String name) {
  
  String value = super.getHeader(name);
  if (value == null)
   return null;
  return cleanXSS(value);
 }

 private String cleanXSS(String value) {
  
  Set<String> keySet = xssMap.keySet();
  for (String key : keySet) {
   String v = xssMap.get(key);
   value = value.replaceAll(key, v);
  }
  return value;
 }

}

 

你可能感兴趣的:(预防XSS攻击)