copy

copy

关注
发信
关注(28)粉丝(399)

配置过滤器filter对跨站脚本攻击XSS实现拦截

1.web.xml中配置filter

[html] view plain copy

 
  1. <filter> <filter-name></filter-name> <filter-class></filter-class> </filter> <filter-mapping> <filter-name></filter-name> <url-pattern></url-pattern> </filter-mapping>

2.编写相应的filter的java类

[java] view
plain copy

 
  1. package

    import

    import
    import
    import
    import
    import
    import
    import

    publicclassimplements

  2. publicvoid
  3. publicvoid
    throws
    new
  4. publicvoidthrows

    }

3.编写字符过滤类

[java] view
plain copy

 
  1. package

    import
    import
    /**

  2. *
  3. * @author wk
  4. * @date 2015-8-6
  5. */
    publicclassextends

    public
    super

  6. public
    returnsuper
  7. public
    returnsuper
  8. public
    super
    ifnull
    returnnull

    new

    forint; i < values.length; i++) {

  9. return

    * 处理字符转义

  10. *
  11. * @param value
  12. * @return
  13. */
    private
    ifnull.equals(value)) {
  14. return

    ">"
    , ).replace(, );

  15. , );
  16. , );
  17. ,
  18. );
  19. , );
  20. return

    }

或者:
private String cleanXSS(String value) {

value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");

value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");

value = value.replaceAll("'", "& #39;");

value = value.replaceAll("eval\\((.*)\\)", "");

value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
                "\"\"");

value = value.replaceAll("script", "");

return value;

}

4.当然喽,此处多说一句,在装饰类中不仅可以拦截XSS脚本攻击,还可以将请求参数中的空格去掉,这样就不用在每一个action中都要去掉提交参数值的前后空格了,至于Injection Flows等sql注入的问题也可以一概解决了

转载:http://blog.csdn.net/woniumenga/article/details/47323829

05-26 21:11
Powered by LMLPHP ©2024 copy 0.050103