过滤xss攻击的方法:
1.XSS过滤器示例代码:
package com.devframe.filter;import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;public class XssFilter implements Filter {@Override
public void init(FilterConfig config) {
}@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
chain.doFilter(xssRequest, response);
}@Override
public void destroy() {
}}
2.request进行XSS过滤,代码:
package com.devframe.filter;import org.apache.commons.io.IOUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.util.StringUtils;import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* 没被包装过的HttpServletRequest(特殊场景,需要自己过滤)
*/
private HttpServletRequest orgRequest;
/**
* html过滤
*/
private final static HTMLFilter HTML_FILTER = new HTMLFilter();
/**
* Constructs a request object wrapping the given request.
*
* @param request request
* @throws IllegalArgumentException if the request is null
*/
XssHttpServletRequestWrapper(HttpServletRequest request) throws IllegalArgumentException {
super(request);
orgRequest = request;
}@Override
public ServletInputStream getInputStream() throws IOException {
//非json类型,直接返回
if(!super.getHeader(HttpHeaders.CONTENT_TYPE).equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE)){
return super.getInputStream();
}//为空,直接返回
String json = IOUtils.toString(super.getInputStream(), "utf-8");
if (!StringUtils.hasText(json)) {
return super.getInputStream();
}//xss过滤
json = xssEncode(json);
final ByteArrayInputStream bis = new ByteArrayInputStream(json.getBytes("utf-8"));
return new ServletInputStream() {
@Override
public boolean isFinished() {
return true;
}@Override
public boolean isReady() {
return true;
}@Override
public void setReadListener(ReadListener readListener) {
}@Override
public int read() {
return bis.read();
}
};
}/**
* 过滤参数
* @param name 参数name,也要过滤
* @return String value
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (StringUtils.hasText(value)) {
value = xssEncode(value);
}
return value;
}/**
* 过滤参数,值为数组
* @param name 参数名
* @return String[]
*/
@Override
public String[] getParameterValues(String name) {
String[] parameters = super.getParameterValues(name);
if (parameters == null || parameters.length == 0) {
return null;
}for (int i = 0; i < parameters.length; i++) {
parameters[i] = xssEncode(parameters[i]);
}
return parameters;
}/**
* 过滤参数,返回键值对形式的参数类型
* @return Map
*/
@Override
public Map
getParameterMap() { Map
map = new LinkedHashMap<>(); Map
parameters = super.getParameterMap(); for (String key : parameters.keySet()) {
String[] values = parameters.get(key);
for (int i = 0; i < values.length; i++) {
values[i] = xssEncode(values[i]);
}
map.put(key, values);
}
return map;
}/**
* 获取request的头属性,并且进行xss过滤,返回它的值
* @param name 属性名
* @return String 值
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (StringUtils.hasText(value)) {
value = xssEncode(value);
}
return value;
}private String xssEncode(String input) {
return HTML_FILTER.filter(input);
}/**
* 获取最原始的request
* @return HttpServletRequest 原始的request
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}/**
* 获取最原始的request,明确不进行xss过滤的
* @param request request
* @return HttpServletRequest 原始request
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest request) {
if (request instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) request).getOrgRequest();
}
return request;
}
}
3.XSS过滤工具类,示例代码:
package com.devframe.filter;import java.util.*;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;/**
*
* HTML filtering utility for protecting against XSS (Cross Site Scripting).
*
* This code is licensed LGPLv3
*
* This code is a Java port of the original work in PHP by Cal Hendersen.
* http://code.iamcal.com/php/lib_filter/
*
* The trickiest part of the translation was handling the differences in regex handling
* between PHP and Java. These resources were helpful in the process:
*
* http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
* http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
* http://www.regular-expressions.info/modifiers.html
*
* A note on naming conventions: instance variables are prefixed with a "v"; global
* constants are in all caps.
*
* Sample use:
* String input = ...
* String clean = new HTMLFilter().filter( input );
*
* The class is not thread safe. Create a new instance if in doubt.
*
* If you find bugs or have suggestions on improvement (especially regarding
* performance), please contact us. The latest version of this
* source, and our contact details, can be found at http://xss-html-filter.sf.net
*
* @author Joseph O'Connell
* @author Cal Hendersen
* @author Michael Semb Wever
*/
public final class HTMLFilter {/** regex flag union representing /si modifiers in php **/
private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=([\"'])(.*?)\\2", REGEX_FLAGS_SI);
private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^\"\\s']+)", REGEX_FLAGS_SI);
private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
private static final Pattern P_ENTITY = Pattern.compile("&#(\\d+);?");
private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
private static final Pattern P_END_ARROW = Pattern.compile("^>");
private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
private static final Pattern P_AMP = Pattern.compile("&");
private static final Pattern P_QUOTE = Pattern.compile("<");
private static final Pattern P_LEFT_ARROW = Pattern.compile("<");
private static final Pattern P_RIGHT_ARROW = Pattern.compile(">");
private static final Pattern P_BOTH_ARROWS = Pattern.compile("<>");// @xxx could grow large... maybe use sesat's ReferenceMap
private static final ConcurrentMap
P_REMOVE_PAIR_BLANKS = new ConcurrentHashMap (); private static final ConcurrentMap
P_REMOVE_SELF_BLANKS = new ConcurrentHashMap ();/** set of allowed html elements, along with allowed attributes for each element **/ private final Map
> vAllowed; /** counts of open tags for each (allowable) html element **/
private final Map
vTagCounts = new HashMap ();/** html elements which must always be self-closing (e.g. " ") **/</><>><>/** ></>") **/</><>><>/** ><>><>/** ><>><>/** ><>><>/** ></>" />") **/</><>><>/** ><>><>/** ><>><>><>><>/**</><>* ><>* >" > >"). ><>* ><>*/</><>><>*</><>*/</><>><>>();> >();</><>><>><>> >();</><>><>><>><>><>> >();</><>><>><>><>><>><>><>><>><>><>><>><>><>><>}/** ><>*</><>* @><>*/</><>><>><>><>*</><>* @><>*/</><>> ><>><>><>><>><>><>><>>>) ><>><>><>><>><>><>><>><>><>><>><>}><>><>}><>><>><>}</><>}//---------------------------------------------------------------</><>// ><>><>><>}><>><>><>><>><>>", ><>><>}//---------------------------------------------------------------</><>/**</><>* ><>* ><>*</><>* @><>* @><>*/</><>><>><>><>><>><>><>><>><>><>><>}><>><>}><>><>}><>><>><>><>><>><>}</><>><>}><>><>//</><>// ><>//</><>><>>", ><>><>//</><>// ><>//</><>><>><", ><>// >&#><>// (><>// ><>//</><>><>}><>}><>><>><>><>><>><>}</><>><>// (><>><>><>>";</><>}</><>}><>}><>><>><>><>>]*)?&>"));</><>}</><>><>><>>]*)?/>"));</><>}</><>><>}><>}><>><>><>}><>// ><>><>><>><>><>><>><>><>>";</><>}</><>}</><>}</><>}// ><>><>><>><>><>><>><>><>><>> >();</><>> >();</><>><>><>><>}</><>><>><>><>}><>><>><>><>// ><>// ><>><>><>}</><>><>}</><>}><>><>}><>><>}><>><>><>} ><>><>}</><>} ><>><>}</><>>";</><>} ><>><>}</><>}// ><>><>><>>";</><>}><>}><>><>><>><>><>><>// ><>><>><>><>}</><>}</><>}><>}><>><>><>><>><>><>}</><>><>><>><>><>><>><>><>}</><>><>><>><>><>><>><>><>}</><>><>><>><>}><>><>><>><>><>><>><>}</><>><>}><>><>><>><>><>>|^)</><>><>><>><>}</><>><>><>}><>><>}</><>}><>? &#><>: "&" + ><>}><>><>}><>><>><>><>}</><>}</><>><>}><>><>}><>><>}</><>}</><>在>< class>
xssFilter
com.devframe.filter.XssFilter
xssFilter
/*