Java Web 安全之XSS防范
XSS漏洞一般分为反射型与存储型。存储型比较严重。
一般主要对以下5种字符转义即可
< --> <
' -->\'
" -->\"
\ -->\\
/ -->\/
value = HTMLFilter.replace(value, "\\", "\\\\", matchCase);//反斜杠必须放在最前面转义,否则当'-->\'时,实际上会变成'-->\\'
value = HTMLFilter.replace(value, "/", "\\/", matchCase);
value = HTMLFilter.replace(value, "%5C", "%5C%5C", matchCase);
value = HTMLFilter.replace(value, "%2F", "%5C%2F", matchCase);
value = HTMLFilter.replace(value, "'", "\\'", matchCase);
value = HTMLFilter.replace(value, "\"", "\\\"", matchCase);
value = HTMLFilter.replace(value, "%27", "%5C%27", matchCase);
value = HTMLFilter.replace(value, "%22", "%5C%22", matchCase);
content = replace(content, "<", "<", false);
content = replace(content, "%3C", "%26lt%3B", false);//小于号有时可能会被URLENCODE, 上面的过滤就不会有作用, 此处是解决这种情况的. %3C即<对应的urlencode
