xss img onerror java_java后台防止XSS的脚本攻击
import java.util.regex.Pattern;
//具體過濾關鍵字符
public class XSSUtil {
private static Pattern[] patterns = new Pattern[]{
// Script fragments
Pattern.compile("", Pattern.CASE_INSENSITIVE),
// src='...'
Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// lonely script tags
Pattern.compile("", Pattern.CASE_INSENSITIVE),
Pattern.compile("
// eval(...)
Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// expression(...)
Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// javascript:...
Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
// vbscript:...
Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
// onload(...)=...
Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
//現場安全測試增加校驗
Pattern.compile("alert(.*?)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("<", Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile(">", Pattern.MULTILINE | Pattern.DOTALL)
};
public static String stripXSS(String value){
if (value != null) {
// TODO ESAPI library
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("\0", "");
// Remove all sections that match a pattern
for (Pattern scriptPattern : patterns){
value = scriptPattern.matcher(value).replaceAll("");
}
}
return value;
}
public static void main(String[] args) {
System.out.println("11"+ XSSUtil.stripXSS(""));
// System.out.println(XSSUtil.stripXSS(""));
}
}
import com.ideatech.common.util.XSSUtil;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Component;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
import java.beans.PropertyEditorSupport;
//每一個請求進入控制層之前會先進行字符過濾
@ControllerAdvice
@Component
@Slf4j
public class GlobalBindingInitializer {
@InitBinder
protected void initBinder(WebDataBinder binder) {
// String類型轉換,將所有傳遞進來的String進行HTML編碼,防止XSS攻擊
binder.registerCustomEditor(String.class, new PropertyEditorSupport() {
@Override
public void setAsText(String text) {
if(text != null){
String cleanText = XSSUtil.stripXSS(text);
if(!cleanText.equals(text)){
log.info("xss clean, before[{}], after[{}]",text,cleanText);
text = cleanText;
}
}
setValue(text);
}
@Override
public String getAsText() {
Object value = getValue();
return value != null ? value.toString() : "";
}
});
}
}
總結
以上是生活随笔為你收集整理的xss img onerror java_java后台防止XSS的脚本攻击的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: nginx文件系统大小_详解Nginx系
- 下一篇: 电脑端二维码识别工具_电脑端自签工具更新