预防XSS攻击

原创

yekang12 2016-03-26 16:30:58 博主文章分类：java ©著作权

文章标签 攻击预防 XSS 文章分类 Java 后端开发

©著作权归作者所有：来自51CTO博客作者yekang12的原创作品，请联系作者获取转载授权，否则将追究法律责任

开发时间 2016-03-02日

项目地点：深圳

开发人员 yekang

在web.xml中配置过滤器

<!-- <filter>

<filter-name>XSSFilter</filter-name>

<filter-class> com.palic.elis.ceis.common.filter.XssFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>XSSFilter</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping> -->

创建类

package com.palic.elis.ceis.common.filter;

import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

public class XssFilter implements Filter {
// XSS处理Map
private static Map<String, String> xssMap = new LinkedHashMap<String, String>();

@Override
public void destroy() {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response,
   FilterChain chain) throws IOException, ServletException {
  // TODO Auto-generated method stub
  // 强制类型转换 HttpServletRequest
  HttpServletRequest httpReq = (HttpServletRequest) request;
  // 构造HttpRequestWrapper对象处理XSS
  HttpRequestWrapper httpReqWarp = new HttpRequestWrapper(httpReq, xssMap);
  //
  chain.doFilter(httpReqWarp, response);
}

@Override
public void init(FilterConfig filterConfig) throws ServletException {
  // 含有脚本： script
  xssMap.put("[s|S][c|C][r|R][i|I][p|P][t|T]", "");
  // 含有脚本 javascript
  xssMap.put(
    "[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']",
    "\"\"");
  // 含有函数： eval
  xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", "");
  // 含有符号 <
  xssMap.put("<", "<");
  // 含有符号 >
  xssMap.put(">", ">");
  // 含有符号 (
  xssMap.put("\\(", "(");
  System.out.println("1111111111111");
  // 含有符号 )
  xssMap.put("\\)", ")");
  // 含有符号 '
  xssMap.put("'", "'");
  // 含有符号 "
  xssMap.put("\"", "\"");
  System.out.println("22222222222222");
}
}

创建类

package com.palic.elis.ceis.common.filter;

import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public class HttpRequestWrapper extends HttpServletRequestWrapper {
private Map<String, String> xssMap;

public HttpRequestWrapper(HttpServletRequest Request) {
super(Request);
}

public HttpRequestWrapper(HttpServletRequest request,
   Map<String, String> xssMap) {
  super(request);
  this.xssMap = xssMap;
}

@Override
public String[] getParameterValues(String parameter) {

  String[] values = super.getParameterValues(parameter);
  if (values == null||values.length == 0) {
   return null;
  }
  // 遍历每一个参数，检查是否含有

  for (int i = 0; i < values.length; i++) {
   values[i] = cleanXSS(values[i]);
  }
  return values;
}
public String getParameter(String parameter) {

  String value = super.getParameter(parameter);
  if (value == null) {
   return null;
  }
  return cleanXSS(value);

}

public String getHeader(String name) {

  String value = super.getHeader(name);
  if (value == null)
   return null;
  return cleanXSS(value);
}

private String cleanXSS(String value) {

  Set<String> keySet = xssMap.keySet();
  for (String key : keySet) {
   String v = xssMap.get(key);
   value = value.replaceAll(key, v);
  }
  return value;
}

}