后端防范xss攻擊的示例:
java后端防止xss攻擊可添加Filter過(guò)濾器��,例如:
public class RequestXssFilter implements Filter {
FilterConfig filterConfig = null;@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
filterChain.doFilter(new XssHttpServletRequestWrapper(
(HttpServletRequest) servletRequest), servletResponse);
}@Override
public void destroy () {
this.filterConfig = null;
}
}
再寫一個(gè)實(shí)際過(guò)濾類:
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {//白名單數(shù)組
private static final String[] WHITE_LIST = {"content"};
// 定義script的正則表達(dá)式
private static final String REGEX_SCRIPT = "<script[^>]*?>[\\s\\S]*?<\\/script>";
// 定義style的正則表達(dá)式
private static final String REGEX_STYLE = "<style[^>]*?>[\\s\\S]*?<\\/style>";
// 定義HTML標(biāo)簽的正則表達(dá)式
private static final String REGEX_HTML = "<[^>]+>";
// 定義空格回車換行符
private static final String REGEX_SPACE = "\\s*|\t|\r|\n";
//定義所有w標(biāo)簽
private static final String REGEX_W = "<w[^>]*?>[\\s\\S]*?<\\/w[^>]*?>";
//定義sql注入
private static String reg = "(\\b(select|update|union|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)";public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}int count = values.length;String[] encodedValues = new String[count];for (int i = 0; i < count; i++) {
//白名單放行的只有HTML標(biāo)簽��,sql標(biāo)簽還是要驗(yàn)證
if (isWhitelist(parameter)) {
if (sqlValidate(values[i])) {
encodedValues[i] = values[i];
}
encodedValues[i] = null;
}
encodedValues[i] = removeHtml(values[i]);
}return encodedValues;}@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
//白名單放行的只有HTML標(biāo)簽�,sql標(biāo)簽還是要驗(yàn)證
if (isWhitelist(parameter)) {
if (sqlValidate(value)) {
return value;
}
return null;
}
return removeHtml(value);
}@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null) {
return null;
}if (isWhitelist(name)) {
if (sqlValidate(value)) {
return value;
}
return null;
}
return removeHtml(value);
}
//\\b 表示 限定單詞邊界 比如 select 不通過(guò) 1select則是可以的
private static Pattern sqlPattern = Pattern.compile(reg, Pattern.CASE_INSENSITIVE);/**
* sql注入過(guò)濾器
* @param str
* @return
*/
private static boolean sqlValidate(String str) {
if (sqlPattern.matcher(str).find()) {
System.out.println("未能通過(guò)過(guò)濾器:str=" + str);
return false;
}
return true;
}/**
* 是否白名單,白名單的放行
*
* @param paramName
* @return
*/
private static boolean isWhitelist(String paramName) {
String lowerParam = paramName.toLowerCase();
String name = Arrays.stream(WHITE_LIST).filter(y -> y.toLowerCase().equals(lowerParam)).findAny().orElse(null);
return name != null;
}/**
* 移除HTML標(biāo)簽
* @param htmlStr
* @return
*/
private static String removeHtml(String htmlStr){
Pattern p_w = Pattern.compile(REGEX_W, Pattern.CASE_INSENSITIVE);
Matcher m_w = p_w.matcher(htmlStr);
htmlStr = m_w.replaceAll(""); // 過(guò)濾script標(biāo)簽
Pattern p_script = Pattern.compile(REGEX_SCRIPT, Pattern.CASE_INSENSITIVE);
Matcher m_script = p_script.matcher(htmlStr);
htmlStr = m_script.replaceAll(""); // 過(guò)濾script標(biāo)簽
Pattern p_style = Pattern.compile(REGEX_STYLE, Pattern.CASE_INSENSITIVE);
Matcher m_style = p_style.matcher(htmlStr);
htmlStr = m_style.replaceAll(""); // 過(guò)濾style標(biāo)簽
Pattern p_html = Pattern.compile(REGEX_HTML, Pattern.CASE_INSENSITIVE);
Matcher m_html = p_html.matcher(htmlStr);
htmlStr = m_html.replaceAll(""); // 過(guò)濾html標(biāo)簽
Pattern p_space = Pattern.compile(REGEX_SPACE, Pattern.CASE_INSENSITIVE);
Matcher m_space = p_space.matcher(htmlStr);
htmlStr = m_space.replaceAll(""); // 過(guò)濾空格回車標(biāo)簽
htmlStr = htmlStr.replaceAll(" ", ""); //過(guò)濾
return htmlStr.trim(); // 返回文本字符串
}
}
在Web.xml中添加過(guò)濾器���,例如:
<filter>
<filter-name>XssEscape</filter-name>
<filter-class>cn.pinming.common.xss.RequestXssFilter</filter-class>
</filter>
