java过滤特殊字符操作(xss攻击解决⽅案)
XSS ,全名:cross-site scripting(跨站点脚本),是当前 web 应⽤中最危险和最普遍的漏洞之⼀。攻击者尝试注⼊恶意脚本代码(常js脚本)到受信任的⽹站上执⾏恶意操作,⽤户使⽤浏览器浏览含有恶意脚本页⾯时,会执⾏该段恶意脚本,进⽽影响⽤户(⽐如关不完的⽹站、盗取⽤户的 cookie 信息从⽽伪装成⽤户去操作)等等。
它与 SQL 注⼊很类似,同样是通过注⼊恶意指令来进⾏攻击。但 SQL 注⼊是在服务器端上执⾏的,⽽ XSS 攻击是在客户端上执⾏的,这点是他们本质区别。
其实,个⼈感觉对于xss攻击不必区分究竟是反射型XSS、存储型XSS还是DOM Based XSS,只需要知道如何去防护。⽽防护的最有效的措施就是过滤,对前端页⾯提交到后台的内容进⾏过滤。具体如下:
1.解决⽅法⼀
拦截所有的请求参数,对请求参数中包含特殊字符'<‘或'>'进⾏过滤。
package com.haier.openplatform.srm.base.filter;
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.filter.OncePerRequestFilter;
public class StringFilter extends OncePerRequestFilter{
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
chain.doFilter(new StringFilterRequest((HttpServletRequest)request), response);
}
}
class StringFilterRequest extends HttpServletRequestWrapper {
public StringFilterRequest(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
// 返回值之前先进⾏过滤
return Parameter(name));
}
@Override
public String[] getParameterValues(String name) {
// 返回值之前先进⾏过滤
String[] values = ParameterValues(name);
if(values==null){
return null;
}
for (int i = 0; i < values.length; i++) {
values[i] = filterDangerString(values[i]);
}
return values;
}
@Override
public Map getParameterMap() {
Map keys = ParameterMap();
Set set = Set();
Iterator iters = set.iterator();
while (iters.hasNext()) {
Object key = ();
Object value = (key);
keys.put(key, filterDangerString((String[]) value));
}
return keys;
}
/*@Override
public Object getAttribute(String name) {
// TODO Auto-generated method stub
Object object = Attribute(name);
if (object instanceof String) {
return filterDangerString((String) Attribute(name));
} else
return object;
}*/
public String filterDangerString(String value) {
if (value == null) {
return null;
}
//        value = placeAll("\\{", "{");
value = placeAll("<", "<");
value = placeAll(">", ">");
//        value = placeAll("\t", "    ");
/
/        value = placeAll("\r\n", "\n");
//        value = placeAll("\n", "<br/>");
//        value = placeAll("'", "'");
//        value = placeAll("\\\\", "\");
//        value = placeAll("\"", """);
//        value = placeAll("\\}", "﹜").trim();
return value;
}
public String[] filterDangerString(String[] value) {
if (value == null) {
return null;
}
for (int i = 0; i < value.length; i++) {
String val = filterDangerString(value[i]);
value[i] = val;
}
return value;
}
}
<中的过滤器配置:
<filter>
<filter-name>StringFilter</filter-name>
<filter-class&base.filter.StringFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>StringFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2.解决⽅法⼆(转,未验证)
2.1前端过滤
2.1.1 javascript 原⽣⽅法
//转义元素的innerHTML内容即为转义后的字符
function htmlEncode ( str ) {
var ele = ateElement('span');
ele.appendChild( ateTextNode( str ) );
return ele.innerHTML;
}
//解析
function htmlDecode ( str ) {
var ele = ateElement('span');
ele.innerHTML = str;
Content;
}
2.1.2 JQuery ⽅法
function htmlEncodeJQ ( str ) {
return $('<span/>').text( str ).html();
}
function htmlDecodeJQ ( str ) {
return $('<span/>').html( str ).text();
}
2.1.3 调⽤⽅法
var msg1= htmlEncodeJQ('<script>alert('test');</script>');
var msg1= htmlEncode('<script>alert('test');</script>');
//结果变成:<script>alert('test');</script>
2.2 后端过滤
2.2.1 java ⼀些框架⾃动⼯具类,
⽐如:org.springframework.web.util.HtmlUtils
public static void main(String[] args) {
String content = "<script>alert('test');</script>";
System.out.println("content="+content);
content = HtmlUtils.htmlEscape(content);
System.out.println("content="+content);
content = HtmlUtils.htmlUnescape(content);
System.out.println("content="+content);
}
但这样有个问题,就是它全部的html标签都不解析了。
可能这不是你想要的,你想要的是⼀部分解析,⼀部分不解析。好看下⾯。
2.2.2 ⾃⼰⽤正则来完成你的需求
package top.lrshuai.blog.util;
import Matcher;
import Pattern;
/**
*
* @author lrshuai
* @since 2017-10-13
* @version 0.0.1
*/
public class HTMLUtils {
/**
* 过滤所有HTML 标签
* @param htmlStr
* @return
*/
public static String filterHTMLTag(String htmlStr) {
//定义HTML标签的正则表达式
String reg_html="<[^>]+>";
Pattern pattern=Patternpile(reg_html,Pattern.CASE_INSENSITIVE);
Matcher matcher=pattern.matcher(htmlStr);
placeAll(""); //过滤html标签
return htmlStr;
}
/**
* 过滤标签,通过标签名
* @param htmlStr
* @param tagName
* @return
*/
public static String filterTagByName(String htmlStr,String tagName) {
String reg_html="<"+tagName+"[^>]*?>[\\s\\S]*?<\\/"+tagName+">";
Pattern pattern=Patternpile(reg_html,Pattern.CASE_INSENSITIVE);
Matcher matcher=pattern.matcher(htmlStr);
placeAll(""); //过滤html标签
return htmlStr;
}
/**
* 过滤标签上的 style 样式
* @param htmlStr
* @return
*/
public static String filterHTMLTagInStyle(String htmlStr) {
String reg_html="style=('|\")(.*?)('|\")";
Pattern pattern=Patternpile(reg_html,Pattern.CASE_INSENSITIVE);
Matcher matcher=pattern.matcher(htmlStr);
placeAll(""); //过滤html标签
return htmlStr;
/**
* 替换表情
* @param htmlStr
* @param tagName
* @return
*/
public static String replayFace(String htmlStr) {
String reg_html="\\[em_\\d{1,}\\]";
Pattern pattern =Patternpile(reg_html,Pattern.CASE_INSENSITIVE);
Matcher matcher=pattern.matcher(htmlStr);
if(matcher.find()) {
while(matcher.find()) {
String num = up(0);
String number=num.substring(num.lastIndexOf('_')+1, num.length()-1);
htmlStr = place(num, "<img src='/face/arclist/"+number+".gif' border='0' />");
}
}
return htmlStr;
}
public static void main(String[] args) {
String html = "<script>alert('test');</script><img src='/face/arclist/5.gif' border='0' /><div style='position:fixs;s'></div><style>body{color:#fff;}</style><Style>body{color:#fff;}</Style><STYLE>body{color:#fff;}</STYLE>";        System.out.println("html="+html);
html = HTMLUtils.filterTagByName(html, "style");
System.out.println("html="+html);
html = HTMLUtils.filterTagByName(html, "script");
System.out.println("html="+html);
html = HTMLUtils.filterHTMLTagInStyle(html);
System.out.println("html="+html);
}
}
java 过滤特殊字符串升级版
ASCII码中除了32之外还有160这个特殊的空格 db中的空格不间断空格->页⾯上的 所产⽣的空格;
/**
* 过滤特殊字符
* @param str
replaceall()* @return
*
* \u00A0 特殊的空格
*/
public static String stringFilter (String str){
String regEx="[\\u00A0\\s\"`~!@#$%^&*()+=|{}':;',\\[\\].<>/?~!@#¥%……&*()——+|{}【】‘;:”“'。,、?]";
Pattern p = Patternpile(regEx);
Matcher m = p.matcher(str);
placeAll("").trim();
}
以上为个⼈经验,希望能给⼤家⼀个参考,也希望⼤家多多⽀持。