java前端提示反射型xss_解决反射型XSS漏洞攻击「建议收藏」

1 /*

2 * Copyright (C), 2001-2019, xiaoi机器人3 * Author: han.sun4 * Date: 2019/2/28 11:395 * History:6 * 7 * 作者姓名 修改时间 版本号 描述8 */

9 packagecom.eastrobot.robotdev.filter;10

11 importjavax.servlet.http.HttpServletRequest;12 importjavax.servlet.http.HttpServletRequestWrapper;13 importjava.util.Map;14 importjava.util.regex.Matcher;15 importjava.util.regex.Pattern;16

17 /**

18 * 〈一句话功能简述〉
19 * TODO(解决反射型XSS漏洞攻击)20 *21 *@authorhan.sun22 *@version1.0.023 *@since2019/2/28 11:3924 */

25 public class XssHttpServletRequestWrapper extendsHttpServletRequestWrapper {26

27 /**

28 * 定义script的正则表达式29 */

30 private static final String REG_SCRIPT = “”;31

32 /**

33 * 定义style的正则表达式34 */

35 private static final String REG_STYLE = “”;36

37 /**

38 * 定义HTML标签的正则表达式39 */

40 private static final String REG_HTML = “]+>”;41

42 /**

43 * 定义所有w标签44 */

45 private static final String REG_W = “]*?>[\\s\\S]*?]*?>”;46

47 private static final String REG_JAVASCRIPT = “.*javascript.*”;48

49

50 XssHttpServletRequestWrapper(HttpServletRequest request) {51 super(request);52 }53

54 @SuppressWarnings(“rawtypes”)55 @Override56 public MapgetParameterMap() {57 Map requestMap = super.getParameterMap();58 for(Object o : requestMap.entrySet()) {59 Map.Entry me =(Map.Entry) o;60 String[] values =(String[]) me.getValue();61 for (int i = 0; i < values.length; i++) {62 values[i] =xssClean(values[i]);63 }64 }65 returnrequestMap;66 }67

68 @Override69 publicString[] getParameterValues(String paramString) {70 String[] values = super.getParameterValues(paramString);71 if (values == null) {72 return null;73 }74 int i =values.length;75 String[] result = newString[i];76 for (int j = 0; j < i; j++) {77 result[j] =xssClean(values[j]);78 }79 returnresult;80 }81

82 @Override83 publicString getParameter(String paramString) {84 String str = super.getParameter(paramString);85 if (str == null) {86 return null;87 }88 returnxssClean(str);89 }90

91

92 @Override93 publicString getHeader(String paramString) {94 String str = super.getHeader(paramString);95 if (str == null) {96 return null;97 }98 str = str.replaceAll(“[\r\n]”, “”);99 returnxssClean(str);100 }101

102 /**

103 * [xssClean 过滤特殊、敏感字符]104 *@paramvalue [请求参数]105 *@return[value]106 */

107 privateString xssClean(String value) {108 if (value == null || “”.equals(value)) {109 returnvalue;110 }111 Pattern pw =Pattern.compile(REG_W, Pattern.CASE_INSENSITIVE);112 Matcher mw =pw.matcher(value);113 value = mw.replaceAll(“”);114

115 Pattern script =Pattern.compile(REG_SCRIPT, Pattern.CASE_INSENSITIVE);116 value = script.matcher(value).replaceAll(“”);117

118 Pattern style =Pattern.compile(REG_STYLE, Pattern.CASE_INSENSITIVE);119 value = style.matcher(value).replaceAll(“”);120

121 Pattern htmlTag =Pattern.compile(REG_HTML, Pattern.CASE_INSENSITIVE);122 value = htmlTag.matcher(value).replaceAll(“”);123

124 Pattern javascript =Pattern.compile(REG_JAVASCRIPT, Pattern.CASE_INSENSITIVE);125 value = javascript.matcher(value).replaceAll(“”);126 returnvalue;127 }128

129 }