Java Web XSS安全防御

        XSS攻击简单来讲就是攻击者在请求中巧妙地加上执行脚本，达到攻击的目的。实践过滤器方案和JSP的EL表达式+JSTL标签库方案都还可以达到防XSS攻击的目的。

一.过滤器方案

XSSFilter.java

package com.bijian.study.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;

/**
 * Servlet Filter implementation class XSSFilter
 */
@WebFilter("/XSSFilter")
public class XSSFilter implements Filter {
    
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void destroy() {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
            ServletException {

        chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
    }
}

XSSRequestWrapper.java

 

package com.bijian.study.filter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.lang.StringEscapeUtils;

public class XSSRequestWrapper extends HttpServletRequestWrapper {
    
    public XSSRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }

    @Override
    public String[] getParameterValues(String parameter) {
        
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = stripXSS(values[i]);
        }
        return encodedValues;
    }

    @Override
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        return stripXSS(value);
    }

    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        return stripXSS(value);
    }

    private String stripXSS(String value) {
        value = StringEscapeUtils.escapeHtml(value); 
        value = StringEscapeUtils.escapeJavaScript(value); 
        value = StringEscapeUtils.escapeSql(value);
        return value;
    }
}

web.xml中的配置

<filter>
	<filter-name>XSSFilter</filter-name>
	<filter-class>com.bijian.study.filter.XSSFilter</filter-class>
</filter>
<filter-mapping>
	<filter-name>XSSFilter</filter-name>
	<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
	<filter-name>XSSFilter</filter-name>
	<url-pattern>*.jsp</url-pattern>
</filter-mapping>

 

二.JSP的EL表达式+JSTL标签库方案

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
	String path = request.getContextPath();
	String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + path + "/";
	String nameStr = request.getParameter("name");//用request得到
	request.setAttribute("nameAttr", nameStr);
%> 
<!DOCTYPE html>   
<html>   
<head>   
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">   
	<title>Hello</title>   
</head>   
<body>
    Hi,<c:out value="${nameAttr}"/>
	<!--  
	Hi,<%=nameStr%>
	Hi,${param.name}
	-->
</body>   
</html>

 

XSS更详细的背景及方案，请参看：http://www.cnblogs.com/flyingeagle/articles/6746732.html