在Ｋisso里，找出的防SQL注入　－过滤 XSS SQL 注入

原创

Freddy_Shen 2021-07-09 11:04:25 ©著作权

文章标签 开发过滤 XSS SQL 注入 sql 文章分类 MySQL 数据库

©著作权归作者所有：来自51CTO博客作者Freddy_Shen的原创作品，请联系作者获取转载授权，否则将追究法律责任

/**
 * @Description XSS脚本内容剥离
 * @param value
 *              待处理内容
 * @return
 */
public String strip( String value ) {
   String rlt = null;

   if ( value != null ) {
      // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
      // avoid encoded attacks.
      // value = ESAPI.encoder().canonicalize(value);

      // Avoid null characters
      rlt = value.replaceAll("", "");

      // Avoid anything between script tags
      Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      // Avoid anything in a src='...' type of expression
      scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE
            | Pattern.MULTILINE | Pattern.DOTALL);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE
            | Pattern.MULTILINE | Pattern.DOTALL);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      // Remove any lonesome </script> tag
      scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      // Remove any lonesome <script ...> tag
      scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE
            | Pattern.MULTILINE | Pattern.DOTALL);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      // Avoid eval（...) expressions
      scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE
            | Pattern.MULTILINE | Pattern.DOTALL);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      // Avoid expression(...) expressions
      scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE
            | Pattern.MULTILINE | Pattern.DOTALL);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      // Avoid javascript:... expressions
      scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      // Avoid vbscript:... expressions
      scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
      rlt = scriptPattern.matcher(rlt).replaceAll("");

      // Avoid οnlοad= expressions
      scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE
            | Pattern.MULTILINE | Pattern.DOTALL);
      rlt = scriptPattern.matcher(rlt).replaceAll("");
   }

   return rlt;
}