zoukankan      html  css  js  c++  java
  • xssProject在java web项目中应用

     

    注:转载http://337027773.blog.163.com/blog/static/54376980201451133534157/

    1.项目引入xssProtect-0.1.jar、antlr-3.0.1.jar、antlr-runtime-3.0.1.jar包 
    2.封装request 
    
    
    public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
    {
        HttpServletRequest orgRequest = null;
    
        public XssHttpServletRequestWrapper(HttpServletRequest request)
        {
            super(request);
            orgRequest = request;
        }
    
        /**
         * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
         * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
         * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
         */
        @Override
        public String getParameter(String name)
        {
            String value = super.getParameter(xssEncode(name));
            if (value != null)
            {
                value = xssEncode(value);
            }
            return value;
        }
    
        /**
         * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
         * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> getHeaderNames 也可能需要覆盖
         */
        @Override
        public String getHeader(String name)
        {
    
            String value = super.getHeader(xssEncode(name));
            if (value != null)
            {
                value = xssEncode(value);
            }
            return value;
        }
    
        /**
         * 将容易引起xss漏洞的半角字符直接替换成全角字符
         * 
         * @param s
         * @return
         */
        private static String xssEncode(String s)
        {
            if (s == null || s.isEmpty())
            {
                return s;
            }
            
            StringReader reader = new StringReader( s );
            StringWriter writer = new StringWriter();
            try {
                HTMLParser.process( reader, writer, new XSSFilter(), true );
                
                return writer.toString();
            } 
            catch (NullPointerException e) {
                return s;
            }
            catch(Exception ex)
            {
                ex.printStackTrace();
            }
            
            return null;
            
        }
    
        /**
         * 获取最原始的request
         * 
         * @return
         */
        public HttpServletRequest getOrgRequest()
        {
            return orgRequest;
        }
    
        /**
         * 获取最原始的request的静态方法
         * 
         * @return
         */
        public static HttpServletRequest getOrgRequest(HttpServletRequest req)
        {
            if (req instanceof XssHttpServletRequestWrapper)
            {
                return ((XssHttpServletRequestWrapper) req).getOrgRequest();
            }
    
            return req;
        }
    
    

    3.创建过滤器  

    XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
      chain.doFilter(xssRequest, response);
    4.在web.xml中配置过滤器 

    https://xssprotect.googlecode.com/svn/trunk/
  • 相关阅读:
    React Native移动框架功能研究
    移动app框架inoic功能研究
    使用Ivy管理项目中的依赖
    使用Ant自动化我们的java项目生成
    Java构建工具Ant小记(一)
    打造Ubuntu下Java开发环境
    解决系统系统管理员不允许使用保存的凭据登录远程计算机
    Ubuntu全新安装firefox最新版本
    jQuery Ready 与 Window onload 的区别(转)
    程序员的素养
  • 原文地址:https://www.cnblogs.com/liaojie970/p/5010347.html
Copyright © 2011-2022 走看看