这是为Java Web应用程序编写的一个好简单的反跨站点脚本(XSS)过滤器。 它的主要作用是从请求参数中删除所有可疑字符串,然后将其返回给应用程序。 这是我以前关于该主题的帖子的改进。
您应该将其配置为链(web.xml)中的第一个过滤器,通常最好让它捕获对您站点的所有请求。
实际的实现包括两个类,实际的过滤器非常简单,它将HTTP请求对象包装在一个专门的HttpServletRequestWrapper中,它将执行我们的过滤。
public class XSSFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) throws ServletException {}@Overridepublic void destroy() {}@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);}}包装程序将覆盖getParameterValues(),getParameter()和getHeader()方法,以在将所需字段返回给调用方之前执行过滤。 实际的XSS检查和剥离是在stripXSS()私有方法中执行的。
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;public class XSSRequestWrapper extends HttpServletRequestWrapper {public XSSRequestWrapper(HttpServletRequest servletRequest) {super(servletRequest);}@Overridepublic String[] getParameterValues(String parameter) {String[] values = super.getParameterValues(parameter);if (values == null) {return null;}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count; i++) {encodedValues[i] = stripXSS(values[i]);}return encodedValues;}@Overridepublic String getParameter(String parameter) {String value = super.getParameter(parameter);return stripXSS(value);}@Overridepublic String getHeader(String name) {String value = super.getHeader(name);return stripXSS(value);}private String stripXSS(String value) {if (value != null) {// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to// avoid encoded attacks.// value = ESAPI.encoder().canonicalize(value);// Avoid null charactersvalue = value.replaceAll("", "");// Avoid anything between script tagsPattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// Avoid anything in a src='...' type of expressionscriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// Remove any lonesome </script> tagscriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// Remove any lonesome <script ...> tagscriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// Avoid eval(...) expressionsscriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// Avoid expression(...) expressionsscriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");// Avoid javascript:... expressionsscriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// Avoid vbscript:... expressionsscriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);value = scriptPattern.matcher(value).replaceAll("");// Avoid onload= expressionsscriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);value = scriptPattern.matcher(value).replaceAll("");}return value;}
}请注意有关ESAPI库的注释,我强烈建议您将其检出并尝试将其包含在项目中。
如果您想深入了解该主题,建议您查看有关XSS和RSnake的XSS(跨站点脚本)备忘单的 OWASP页面 。
参考: Ricardo Zuasti博客博客中的JCG合作伙伴 Ricardo Zuasti提供了针对Java Web应用程序的更强大的反跨站点脚本(XSS)过滤器 。
翻译自: https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html
...)
)
