xss跨站腳本攻擊的解決方案:
1.建立一個HttpServletRequestWapper的包裝類,對用戶發送的請求進行包裝,把request中包含XSS代碼進行過濾,代碼如下:
import java.util.Map;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
* 覆蓋getParameter方法,將參數名和參數值都做xss過濾。
* 如果需要獲得原始的值,則通過super.getParameterValues(name)來獲取
* getParameterNames,getParameterValues和getParameterMap也可能需要覆蓋
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] value = super.getParameterValues(name);
if(value != null){
for (int i = 0; i < value.length; i++) {
value[i] = xssEncode(value[i]);
}
}
return value;
}
@Override
public Map getParameterMap() {
// TODO Auto-generated method stub
return super.getParameterMap();
}
/**
* 覆蓋getHeader方法,將參數名和參數值都做xss過濾。
* 如果需要獲得原始的值,則通過super.getHeaders(name)來獲取
* getHeaderNames 也可能需要覆蓋
* 這一段代碼在一開始沒有注釋掉導致出現406錯誤,原因是406錯誤是HTTP協議狀態碼的一種,
* 表示無法使用請求的內容特性來響應請求的網頁。一般是指客戶端瀏覽器不接受所請求頁面的 MIME 類型。
*
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
**/
/**
* 將容易引起xss漏洞的半角字符直接替換成全角字符 在保證不刪除數據的情況下保存
* @param s
* @return 過濾后的值
*/
private static String xssEncode(String value) {
if (value == null || value.isEmpty()) {
return value;
}
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", "");
value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", "");
value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", "");
value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", "");
return value;
}
}
2.使用Filter過濾器實現對Request的過濾,代碼如下:
import java.io.IOException;import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import com.lyms.wxyl.base.wrapper.XssHttpServletRequestWrapper;
public class XssFilter implements Filter {
public void destroy() {
// TODO Auto-generated method stub
}
/**
* 過濾器用來過濾的方法
*/
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {
//包裝request
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
chain.doFilter(xssRequest, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
}
}
3.在Web.xml中定義好Filter,例如:
<filter><filter-name>XssFilter</filter-name>
<filter-class>包名.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
4.Filter類需要引入javax.servlet.api的jar包,因此要在pom.xml配置jar包,代碼:
<dependency><groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>${servlet.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jsp-api</artifactId>
<version>2.0</version>
<scope>provided</scope>
</dependency>
<properties>
<servlet.version>3.0-alpha-1</servlet.version>
</properties>
