基本概念及解决办法

比较典型的XSS攻击漏洞(Cascading Style Sheets, CSS),俗称跨站脚本攻击;解决办法:将特殊字符进行转义

1、增加过滤器XssFilter.java

public class XssFilter implements Filter {

FilterConfig filterConfig = null;

private List urlExclusion = null;

public void init(FilterConfig filterConfig) throws ServletException {

this.filterConfig = filterConfig;

}

public void destroy() {

this.filterConfig = null;

}

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

HttpServletRequest httpServletRequest = (HttpServletRequest) request;

String servletPath = httpServletRequest.getServletPath();

if (urlExclusion != null && urlExclusion.contains(servletPath)) {

chain.doFilter(request, response);

} else {

chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);

}

}

public List getUrlExclusion() {

return urlExclusion;

}

public void setUrlExclusion(List urlExclusion) {

this.urlExclusion = urlExclusion;

}

}

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {

super(servletRequest);

}

public String[] getParameterValues(String parameter) {

String[] values = super.getParameterValues(parameter);

if (values == null) {

return null;

}

int count = values.length;

String[] encodedValues = new String[count];

for (int i = 0; i < count; i++) {

encodedValues[i] = cleanXSS(values[i]);

}

return encodedValues;

}

public String getParameter(String parameter) {

String value = super.getParameter(parameter);

if (value == null) {

return null;

}

return cleanXSS(value);

}

public String getHeader(String name) {

String value = super.getHeader(name);

if (value == null)

return null;

return cleanXSS(value);

}

private String cleanXSS(String value) {

//You'll need to remove the spaces from the html entities below

value = value.replaceAll("", "& gt;");

value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");

value = value.replaceAll("'", "& #39;");

value = value.replaceAll("eval\\((.*)\\)", "");

value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");

value = value.replaceAll("script", "");

return value;

}

}

2、web.xml增加过滤器配置

XssFilter

com.powersi.hygeia.web.filter.XssFilter

XssFilter

/*

Logo
DAMO开发者矩阵

DAMO开发者矩阵,由阿里巴巴达摩院和中国互联网协会联合发起,致力于探讨最前沿的技术趋势与应用成果,搭建高质量的交流与分享平台,推动技术创新与产业应用链接,围绕“人工智能与新型计算”构建开放共享的开发者生态。

更多推荐

cover

递归-深度 VLA:基于潜迭代推理VLA模型的隐测试-时计算规模化

avatar DAMO开发者矩阵
cover

基于YOLO26深度学习框架的智能医疗影像病灶检测系统的算法研究实现方法

avatar DAMO开发者矩阵
cover

RL-VLA3:通过完全异步加速强化学习 VLA

avatar DAMO开发者矩阵