大家好,又见面了,我是你们的朋友全栈君。
1 /*
2 * Copyright (C), 2001-2019, xiaoi机器人3 * Author: han.sun4 * Date: 2019/2/28 11:395 * History:6 * 7 * 作者姓名 修改时间 版本号 描述8 */
9 packagecom.eastrobot.robotdev.filter;10
11 importjavax.servlet.http.HttpServletRequest;12 importjavax.servlet.http.HttpServletRequestWrapper;13 importjava.util.Map;14 importjava.util.regex.Matcher;15 importjava.util.regex.Pattern;16
17 /**
18 * 〈一句话功能简述〉
19 * TODO(解决反射型XSS漏洞攻击)20 *21 *@authorhan.sun22 *@version1.0.023 *@since2019/2/28 11:3924 */
25 public class XssHttpServletRequestWrapper extendsHttpServletRequestWrapper {26
27 /**
28 * 定义script的正则表达式29 */
30 private static final String REG_SCRIPT = “”;31
32 /**
33 * 定义style的正则表达式34 */
35 private static final String REG_STYLE = “”;36
37 /**
38 * 定义HTML标签的正则表达式39 */
40 private static final String REG_HTML = “]+>”;41
42 /**
43 * 定义所有w标签44 */
45 private static final String REG_W = “]*?>[\\s\\S]*?]*?>”;46
47 private static final String REG_JAVASCRIPT = “.*javascript.*”;48
49
50 XssHttpServletRequestWrapper(HttpServletRequest request) {51 super(request);52 }53
54 @SuppressWarnings(“rawtypes”)55 @Override56 public MapgetParameterMap() {57 Map requestMap = super.getParameterMap();58 for(Object o : requestMap.entrySet()) {59 Map.Entry me =(Map.Entry) o;60 String[] values =(String[]) me.getValue();61 for (int i = 0; i < values.length; i++) {62 values[i] =xssClean(values[i]);63 }64 }65 returnrequestMap;66 }67
68 @Override69 publicString[] getParameterValues(String paramString) {70 String[] values = super.getParameterValues(paramString);71 if (values == null) {72 return null;73 }74 int i =values.length;75 String[] result = newString[i];76 for (int j = 0; j < i; j++) {77 result[j] =xssClean(values[j]);78 }79 returnresult;80 }81
82 @Override83 publicString getParameter(String paramString) {84 String str = super.getParameter(paramString);85 if (str == null) {86 return null;87 }88 returnxssClean(str);89 }90
91
92 @Override93 publicString getHeader(String paramString) {94 String str = super.getHeader(paramString);95 if (str == null) {96 return null;97 }98 str = str.replaceAll(“[\r\n]”, “”);99 returnxssClean(str);100 }101
102 /**
103 * [xssClean 过滤特殊、敏感字符]104 *@paramvalue [请求参数]105 *@return[value]106 */
107 privateString xssClean(String value) {108 if (value == null || “”.equals(value)) {109 returnvalue;110 }111 Pattern pw =Pattern.compile(REG_W, Pattern.CASE_INSENSITIVE);112 Matcher mw =pw.matcher(value);113 value = mw.replaceAll(“”);114
115 Pattern script =Pattern.compile(REG_SCRIPT, Pattern.CASE_INSENSITIVE);116 value = script.matcher(value).replaceAll(“”);117
118 Pattern style =Pattern.compile(REG_STYLE, Pattern.CASE_INSENSITIVE);119 value = style.matcher(value).replaceAll(“”);120
121 Pattern htmlTag =Pattern.compile(REG_HTML, Pattern.CASE_INSENSITIVE);122 value = htmlTag.matcher(value).replaceAll(“”);123
124 Pattern javascript =Pattern.compile(REG_JAVASCRIPT, Pattern.CASE_INSENSITIVE);125 value = javascript.matcher(value).replaceAll(“”);126 returnvalue;127 }128
129 }
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/131987.html原文链接:https://javaforall.net
