解决反射型XSS漏洞攻击

对于程序员来说安全防御，无非从两个方面考虑，要么前端要么后台。

一、首先从前端考虑过滤一些非法字符。

前端的主控js中，在<textarea> 输入框标签中，
找到点击发送按钮后，追加到聊天panel前 进行过滤Input输入内容

// 过滤XSS反射型漏洞
        filterInputTxt: function (html) {
            html = html.replace(/(.*<[^>]+>.*)/g,"");    // HTML标记
            html = html.replace(/([\r\n])[\s]+/g, "");    // 换行、空格
            html = html.replace(/<!--.*-->/g, "");    // HTML注释
            html = html.replace(/['"‘’“”!@#$%^&*{}！￥（）()×+=]/g, ""); // 非法字符
            html = html.replace("alert","");
            html = html.replace("eval","");
            html = html.replace(/(.*javascript.*)/gi,"");
            if (html === "") {
                html = "你好";
            }
            return html;
        }

二、在后台API服务解决反射型XSS漏洞

thinking：一般来说前端可以过滤一下基本的非法恶意代码攻击，如果恶意脚本被请求到服务端啦，那么就需要请求参数未请求接口前进行过滤一些非法字符。

handle：1、自定义过滤器实现Filter接口

　　　　2、在doFilter方法中对request、response进行设置处理

##处理request请求参数。

package com.eastrobot.robotdev.filter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * 〈一句话功能简述〉<br>
 * TODO(解决反射型XSS漏洞攻击)
 *
 * @author han.sun
 * @version 1.0.0
 * @since 2019/2/28 11:39
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    /**
     * 定义script的正则表达式
     */
    private static final String REG_SCRIPT = "<script[^>]*?>[\\s\\S]*?</script>";

    /**
     * 定义style的正则表达式
     */
    private static final String REG_STYLE = "<style[^>]*?>[\\s\\S]*?</style>";

    /**
     * 定义HTML标签的正则表达式
     */
    private static final String REG_HTML = "<[^>]+>";

    /**
     * 定义所有w标签
     */
    private static final String REG_W = "<w[^>]*?>[\\s\\S]*?</w[^>]*?>";

    private static final String REG_JAVASCRIPT = ".*javascript.*";


    XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    @SuppressWarnings("rawtypes")
    @Override
    public Map<String, String[]> getParameterMap() {
        Map<String, String[]> requestMap = super.getParameterMap();
        for (Object o : requestMap.entrySet()) {
            Map.Entry me = (Map.Entry) o;
            String[] values = (String[]) me.getValue();
            for (int i = 0; i < values.length; i++) {
                values[i] = xssClean(values[i]);
            }
        }
        return requestMap;
    }

    @Override
    public String[] getParameterValues(String paramString) {
        String[] values = super.getParameterValues(paramString);
        if (values == null) {
            return null;
        }
        int i = values.length;
        String[] result = new String[i];
        for (int j = 0; j < i; j++) {
            result[j] = xssClean(values[j]);
        }
        return result;
    }

    @Override
    public String getParameter(String paramString) {
        String str = super.getParameter(paramString);
        if (str == null) {
            return null;
        }
        return xssClean(str);
    }


    @Override
    public String getHeader(String paramString) {
        String str = super.getHeader(paramString);
        if (str == null) {
            return null;
        }
        str = str.replaceAll("[\r\n]", "");
        return xssClean(str);
    }

    /**
     * [xssClean 过滤特殊、敏感字符]
     * @param  value [请求参数]
     * @return       [value]
     */
    private String xssClean(String value) {
        if (value == null || "".equals(value)) {
            return value;
        }
        Pattern pw = Pattern.compile(REG_W, Pattern.CASE_INSENSITIVE);
        Matcher mw = pw.matcher(value);
        value = mw.replaceAll("");

        Pattern script = Pattern.compile(REG_SCRIPT, Pattern.CASE_INSENSITIVE);
        value = script.matcher(value).replaceAll("");

        Pattern style = Pattern.compile(REG_STYLE, Pattern.CASE_INSENSITIVE);
        value = style.matcher(value).replaceAll("");

        Pattern htmlTag = Pattern.compile(REG_HTML, Pattern.CASE_INSENSITIVE);
        value = htmlTag.matcher(value).replaceAll("");

        Pattern javascript = Pattern.compile(REG_JAVASCRIPT, Pattern.CASE_INSENSITIVE);
        value = javascript.matcher(value).replaceAll("");
        return value;
    }

}

##自定义Filter过滤器。

package com.eastrobot.robotdev.filter;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * 〈在服务器端对 Cookie 设置了HttpOnly 属性，
 * 那么js脚本就不能读取到cookie，
 * 但是浏览器还是能够正常使用cookie〉<br>
 * TODO(禁用js脚步读取用户浏览器中的Cookie)

 */
@WebFilter(filterName="xssFilter",urlPatterns= {"/*"})
@Order(FilterRegistrationBean.LOWEST_PRECEDENCE)
public class XssFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;

        // 解决动态脚本获取网页cookie，将cookie设置成HttpOnly
        String sessionId = req.getSession().getId();
        resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionId + "; HttpOnly");
        resp.setHeader("x-frame-options", "SAMEORIGIN");

        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
    }

    @Override
    public void destroy() {
    }
}