zoukankan      html  css  js  c++  java
  • xssProject在java web项目中应用

     

    注:转载http://337027773.blog.163.com/blog/static/54376980201451133534157/

    1.项目引入xssProtect-0.1.jar、antlr-3.0.1.jar、antlr-runtime-3.0.1.jar包 
    2.封装request 
    
    
    public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
    {
        HttpServletRequest orgRequest = null;
    
        public XssHttpServletRequestWrapper(HttpServletRequest request)
        {
            super(request);
            orgRequest = request;
        }
    
        /**
         * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
         * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
         * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
         */
        @Override
        public String getParameter(String name)
        {
            String value = super.getParameter(xssEncode(name));
            if (value != null)
            {
                value = xssEncode(value);
            }
            return value;
        }
    
        /**
         * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
         * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> getHeaderNames 也可能需要覆盖
         */
        @Override
        public String getHeader(String name)
        {
    
            String value = super.getHeader(xssEncode(name));
            if (value != null)
            {
                value = xssEncode(value);
            }
            return value;
        }
    
        /**
         * 将容易引起xss漏洞的半角字符直接替换成全角字符
         * 
         * @param s
         * @return
         */
        private static String xssEncode(String s)
        {
            if (s == null || s.isEmpty())
            {
                return s;
            }
            
            StringReader reader = new StringReader( s );
            StringWriter writer = new StringWriter();
            try {
                HTMLParser.process( reader, writer, new XSSFilter(), true );
                
                return writer.toString();
            } 
            catch (NullPointerException e) {
                return s;
            }
            catch(Exception ex)
            {
                ex.printStackTrace();
            }
            
            return null;
            
        }
    
        /**
         * 获取最原始的request
         * 
         * @return
         */
        public HttpServletRequest getOrgRequest()
        {
            return orgRequest;
        }
    
        /**
         * 获取最原始的request的静态方法
         * 
         * @return
         */
        public static HttpServletRequest getOrgRequest(HttpServletRequest req)
        {
            if (req instanceof XssHttpServletRequestWrapper)
            {
                return ((XssHttpServletRequestWrapper) req).getOrgRequest();
            }
    
            return req;
        }
    
    

    3.创建过滤器  

    XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
      chain.doFilter(xssRequest, response);
    4.在web.xml中配置过滤器 

    https://xssprotect.googlecode.com/svn/trunk/
  • 相关阅读:
    Python2和python3的对比
    AirtestIDE学习(一)详解(跨平台的UI自动化编辑器)
    2021/2/18 一些概念笔记
    Django学习笔记(一)
    安装python第三方包时报错
    pycharm调试nodejs代码
    postman+jwt接口做各个环境接口测试(三)
    iOS------App之间传递数据的几种方式
    iOS------教你如何APP怎么加急审核
    关于苹果延迟了App接入HTTPS服务截止日期
  • 原文地址:https://www.cnblogs.com/liaojie970/p/5010347.html
Copyright © 2011-2022 走看看