防止xss攻击的核心代码
public class XssFilter implements Filter { @Override public void destroy() { } /** * 过滤器用来过滤的方法 */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // 包装request XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); //实际设置 HttpServletResponse xssResponse = (HttpServletResponse) response; xssResponse.setHeader("X-XSS-Protection", "1; mode=block"); xssResponse.setHeader("X-Frame-Options", "SAMEORIGIN"); xssResponse.setHeader("Strict-Transport-Security", "max-age=31536; includeSubDomains"); // xssResponse.setHeader("Content-Security-Policy", "default-src 'self'"); xssResponse.setHeader("X-Content-Type-Options", "nosniff"); chain.doFilter(xssRequest, xssResponse); } @Override public void init(FilterConfig filterConfig) throws ServletException { }
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。 * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取 * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } @Override public String[] getParameterValues(String name) { String[] value = super.getParameterValues(name); if (value != null) { for (int i = 0; i < value.length; i++) { value[i] = xssEncode(value[i]); } } return value; } @SuppressWarnings("rawtypes") @Override public Map getParameterMap() { return super.getParameterMap(); } /** * 将容易引起xss漏洞的半角字符直接替换成全角字符 在保证不删除数据的情况下保存 * * @param s * @return 过滤后的值 */ private static String xssEncode(String value) { if (value == null || value.isEmpty()) { return value; } value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("<","<"); value = value.replaceAll(">",">"); value = value.replaceAll("'","'"); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", ""); value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", ""); value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", ""); // value = value.replaceAll("[<>{}\\[\\];\\&]",""); return value; } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。 如果需要获得原始的值,则通过super.getHeaders(name)来获取 * getHeaderNames 也可能需要覆盖 这一段代码在一开始没有注释掉导致出现406错误,原因是406错误是HTTP协议状态码的一种, * 表示无法使用请求的内容特性来响应请求的网页。一般是指客户端浏览器不接受所请求页面的 MIME 类型。 **/ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } }
<!--解决xss漏洞--> <filter> <filter-name>XssFilter</filter-name> <filter-class>com.qls.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>