js解决跨站点脚本编制问题
1.前台处理(容易绕过):
<script type="text/javascript"> $(document).ready(function(){ var url=window.location.href; window.location.href=HTMLEnCode(url); }); function HTMLEnCode(str) { var s = ""; if (str.length == 0) return ""; s = str.replace(/&/g, ">"); s = s.replace(/</g, ""); s = s.replace(/>/g, ""); s = s.replace(/ /g, ""); s = s.replace(/\"/g, ""); s = s.replace(/\'/g, ""); s = s.replace(/\n/g, ""); s = s.replace(/\//g, ""); s = s.replace(/\(/g, ""); s = s.replace(/\)/g, ""); s = s.replace(/\=/g, ""); return s; } }); </script>
2.后台处理:
/** * 危险字符过滤方法 * @param str * @return * @throws Exception */ public static String dangerousCharacterFilter(String str) { //一种解决SQL盲注的后台过虑,其方式就是将可能出现的非法字符进行规制 //java代码替换特殊字符 //str="^&h\\/!@#$%^&*()+|/jgfj&%fgd''$#$@!)(}|"; if(str!=null){ str = str.replaceAll("(\\|)", ""); str = str.replaceAll("(\\&)", ""); str = str.replaceAll("(\\;)", ""); str = str.replaceAll("(\\$)", ""); str = str.replaceAll("(\\%)", ""); str = str.replaceAll("(\\@)", ""); str = str.replaceAll("(\\')", ""); str = str.replaceAll("(\\\")", ""); str = str.replaceAll("(\\>)", ""); str = str.replaceAll("(\\<)", ""); str = str.replaceAll("(\\))", ""); str = str.replaceAll("(\\()", ""); str = str.replaceAll("(\\+)", ""); //str = str.replaceAll("(\\CR)", ""); //回车符 ASCII 0x0d //str = str.replaceAll("(\\LF)", ""); //换行 ASCII 0x0a str = str.replaceAll("(\\,)", ""); str = str.replaceAll("(\\\\)", ""); str = str.replaceAll("(\\#|$)", ""); } return str; }
3.添加过滤器(暂时没做)
