防止xss攻击的核心代码

public class XssFilter implements Filter {
    @Override
    public void destroy() {
        
    }

    /**
     * 过滤器用来过滤的方法
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        // 包装request
        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
        //实际设置
        HttpServletResponse xssResponse = (HttpServletResponse) response; 
        xssResponse.setHeader("X-XSS-Protection", "1; mode=block"); 
        xssResponse.setHeader("X-Frame-Options", "SAMEORIGIN"); 
        xssResponse.setHeader("Strict-Transport-Security", "max-age=31536; includeSubDomains");
//        xssResponse.setHeader("Content-Security-Policy", "default-src 'self'"); 
        xssResponse.setHeader("X-Content-Type-Options", "nosniff"); 
        chain.doFilter(xssRequest, xssResponse);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException { 
        
    }
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    HttpServletRequest orgRequest = null;

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    /**
     * 覆盖getParameter方法,将参数名和参数值都做xss过滤。
     * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取
     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
     */
    @Override
    public String getParameter(String name) {
        String value = super.getParameter(xssEncode(name));
        if (value != null) {
            value = xssEncode(value);
        }
        return value;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] value = super.getParameterValues(name);
        if (value != null) {
            for (int i = 0; i < value.length; i++) {
                value[i] = xssEncode(value[i]);
            }
        }
        return value;
    }

    @SuppressWarnings("rawtypes")
    @Override
    public Map getParameterMap() {
        return super.getParameterMap();
    }

    /**
     * 将容易引起xss漏洞的半角字符直接替换成全角字符 在保证不删除数据的情况下保存
     * 
     * @param s
     * @return 过滤后的值
     */
    private static String xssEncode(String value) {
        if (value == null || value.isEmpty()) {
            return value;
        }
        value = value.replaceAll("eval\\((.*)\\)", "");
        value = value.replaceAll("<","&lt;");
        value = value.replaceAll(">","&gt;");
        value = value.replaceAll("'","&apos;");
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
        value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", "");
        value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", "");
        value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", "");
        value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", "");
//        value = value.replaceAll("[<>{}\\[\\];\\&]","");
        return value;
    }

    /**
     * 覆盖getHeader方法,将参数名和参数值都做xss过滤。 如果需要获得原始的值,则通过super.getHeaders(name)来获取
     * getHeaderNames 也可能需要覆盖 这一段代码在一开始没有注释掉导致出现406错误,原因是406错误是HTTP协议状态码的一种,
     * 表示无法使用请求的内容特性来响应请求的网页。一般是指客户端浏览器不接受所请求页面的 MIME 类型。
     **/
    @Override
    public String getHeader(String name) {

        String value = super.getHeader(xssEncode(name));
        if (value != null) {
            value = xssEncode(value);
        }
        return value;
    }

}
 <!--解决xss漏洞-->
  <filter>
    <filter-name>XssFilter</filter-name>
    <filter-class>com.qls.XssFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>XssFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  

posted @ 2019-03-25 15:56  技术让世界更精彩  阅读(670)  评论(1编辑  收藏  举报