在用java举办web业务开拓的时候,对付页面上吸收到的参数,除了少少数是步可预知的内容外,大量的参数名和参数值都是不会呈现触发Xss裂痕的字符。而凡是为了制止Xss裂痕,都是开拓人员各自在页面输出和数据入库等处所加上各类百般的encode要领来制止Xss问题。而由于开拓人员的程度纷歧,加上在编写代码的进程中安详意识的差别,大概会粗心遗漏对用户输入内容举办encode处理惩罚。针对这种大量参数是不行能呈现引起Xss和SQL注入裂痕的业务场景下,因此可以利用一个合用大大都业务场景的通用处理惩罚要领,牺牲少量用户体验,来制止Xss裂痕和SQL注入。
那就是操作Servlet的过滤器机制,编写定制的XssFilter,将request请求署理,包围getParameter和getHeader要领将参数名和参数值里的指定半角字符,强制替换玉成角字符。使得在业务层的处理惩罚时不消担忧会有异常输入内容。
XssFilter.java
package filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; public class XssFilter implements Filter { public void init(FilterConfig config) throws ServletException { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( (HttpServletRequest) request); chain.doFilter(xssRequest, response); } public void destroy() { } }
XssHttpServletRequestWrapper.java
package filter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); orgRequest = request; } /** * 包围getParameter要领,将参数名和参数值都做xss过滤。<br/> * 假如需要得到原始的值,则通过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也大概需要包围 */ @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 包围getHeader要领,将参数名和参数值都做xss过滤。<br/> * 假如需要得到原始的值,则通过super.getHeaders(name)来获取<br/> * getHeaderNames 也大概需要包围 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 将容易引起xss裂痕的半角字符直接替换玉成角字符 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || s.isEmpty()) { return s; } StringBuilder sb = new StringBuilder(s.length() + 16); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); switch (c) { case '>': sb.append('>');//全角大于号 break; case '<': sb.append('<');//全角小于号 break; case '\'': sb.append('‘');//全角单引号 break; case '\"': sb.append('“');//全角双引号 break; case '&': sb.append('&');//全角 break; case '\\': sb.append('\');//全角斜线 break; case '#': sb.append('#');//全角井号 break; default: sb.append(c); break; } } return sb.toString(); } /** * 获取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request的静态要领 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if(req instanceof XssHttpServletRequestWrapper){ return ((XssHttpServletRequestWrapper)req).getOrgRequest(); } return req; } }
在web.xml中添加
<filter> <filter-name>xssFilter</filter-name> <filter-class>filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>