天天看點
傳回

防止XSS攻擊Filter

今天系統使用IBM的安全漏洞掃描工具掃描出一堆漏洞,下面的filter主要是解決防止SQL注入和XSS攻擊

一個是Filter負責将請求的request包裝一下。

一個是request包裝器,負責過濾掉非法的字元。

将這個過濾器配置上以後,世界總算清淨多了。。

代碼如下:

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

/**
 * <code>{@link CharLimitFilter}</code>
 *
 * 攔截防止sql注入
 *
 * @author Administrator
 */
public class XssFilter implements Filter {


	/* (non-Javadoc)
	 * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
	 */
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
			ServletException {
		
			XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
			(HttpServletRequest) request);
			filterChain.doFilter(xssRequest, response);
		
	}

}

包裝器:

/**
 * <code>{@link XssHttpServletRequestWrapper}</code>
 *
 * TODO : document me
 *
 * @author Administrator
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
	HttpServletRequest orgRequest = null;

	public XssHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
		orgRequest = request;
	}

	/**
	* 覆寫getParameter方法,将參數名和參數值都做xss過濾。<br/>
	* 如果需要獲得原始的值,則通過super.getParameterValues(name)來擷取<br/>
	* getParameterNames,getParameterValues和getParameterMap也可能需要覆寫
	*/
	@Override
	public String getParameter(String name) {
		String value = super.getParameter(xssEncode(name));
		if (value != null) {
			value = xssEncode(value);
		}
		return value;
	}

	/**
	* 覆寫getHeader方法,将參數名和參數值都做xss過濾。<br/>
	* 如果需要獲得原始的值,則通過super.getHeaders(name)來擷取<br/>
	* getHeaderNames 也可能需要覆寫
	*/
	@Override
	public String getHeader(String name) {

		String value = super.getHeader(xssEncode(name));
		if (value != null) {
			value = xssEncode(value);
		}
		return value;
	}

	/**
	* 将容易引起xss漏洞的半角字元直接替換成全角字元
	*
	* @param s
	* @return
	*/
	private static String xssEncode(String s) {
		if (s == null || "".equals(s)) {
			return s;
		}
		StringBuilder sb = new StringBuilder(s.length() + 16);
		for (int i = 0; i < s.length(); i++) {
			char c = s.charAt(i);
			switch (c) {
			case '>':
				sb.append('>');//全角大于号
				break;
			case '<':
				sb.append('<');//全角小于号
				break;
			case '\'':
				sb.append('‘');//全角單引号
				break;
			case '\"':
				sb.append('“');//全角雙引号
				break;
			case '&':
				sb.append('&');//全角
				break;
			case '\\':
				sb.append('\');//全角斜線
				break;
			case '#':
				sb.append('#');//全角井号
				break;
			default:
				sb.append(c);
				break;
			}
		}
		return sb.toString();
	}

	/**
	* 擷取最原始的request
	*
	* @return
	*/
	public HttpServletRequest getOrgRequest() {
		return orgRequest;
	}

	/**
	* 擷取最原始的request的靜态方法
	*
	* @return
	*/
	public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
		if (req instanceof XssHttpServletRequestWrapper) {
			return ((XssHttpServletRequestWrapper) req).getOrgRequest();
		}

		return req;
	}

}
java工具類 java
上一篇: Unable to find script library '/aspnet_client/system-web/1-1-4322/webvalidation.js'
下一篇: SpringBoot 防止sql注入及xss等惡意攻擊SpringBoot 防止sql注入及xss等惡意攻擊

繼續閱讀