使用filter解决xss攻击

本文介绍了一种通过重写HttpServletRequestWrapper并结合自定义XSSFilter来防范XSS攻击的方法。通过正则表达式过滤请求参数中的潜在恶意脚本,提供了一个实际使用的示例。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

使用filter解决xss攻击的实现思路,其实是通过正则的方式对请求的参数做脚本的过滤,但是这需要对所要过滤的脚本做很多的枚举。下面这个demo是我在工作中用到的,希望对大家有所帮助。

主要实现方法是重写HttpServletRequestWrapper中的getParameter,getParameterMap,以及getParameterValues等方法处理请求的参数值

其中xssEncode()方法我只是对传入的< >进行了圆角<>替换,有简单js防止脚本注入,但是这远远不够,所以在stripXss()方法中枚举了很多存在脚本注入的正则表达式,对文本进行过滤处理。重写这个类之后,你需要定义一个XSSFilter,filter中调用该重写的HttpServletRequestWrapper。具体看代码

public class XSSFilter implements Filter {

    public void destroy() {
        // TODO Auto-generated method stub

    }


    /**
     * 通过url只能访问action
     */
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException,
            ServletException {
            HttpServletRequest request = (HttpServletRequest) req;
            request.setCharacterEncoding("utf-8");
            XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(request);
            chain.doFilter(xssRequest, res);
    }

    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub

    }

}


public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    HttpServletRequest orgRequest = null;

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        orgRequest = request;
    }

    /**
     * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
     * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
     */
    @Override
    public String getParameter(String name) {
        String value = super.getParameter(xssEncode(name));
        if (value != null) {
            value = xssEncode(value);
        }
        return value;
    }

    @Override
    public Map<String, String[]> getParameterMap() {
        Map<String, String[]> map = super.getParameterMap();
        if (map != null) {
            for (Map.Entry<String, String[]> entry : map.entrySet()) {
                String[] values = entry.getValue();
                List<String> newValues = new LinkedList<String>();
                if (values != null) {
                    for (String s : values) {
                        String afertEncode = xssEncode(s);
                        newValues.add(afertEncode);
                    }
                    entry.setValue(newValues.toArray(new String[newValues.size()]));
                }
            }
        }
        return map;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] values = super.getParameterValues(name);
        return xssEncode(values);
    }
    
    protected String[] xssEncode(String[] values) {
        if (values != null && values.length > 0) {

            int length = values.length;
            String[] escapseValues = new String[length];
            for (int i = 0; i < length; i++) {
                escapseValues[i] = xssEncode(values[i]);
            }
            return escapseValues;
        }
        return values;
    }
    /**
     * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
     * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
     * getHeaderNames 也可能需要覆盖
     */
    @Override
    public String getHeader(String name) {

        String value = super.getHeader(xssEncode(name));
        if (value != null) {
            value = xssEncode(value);
        }
        return value;
    }

    /**
     * 将容易引起xss漏洞的半角字符直接替换成全角字符
     * 
     * @param s
     * @return
     */
    private static String xssEncode(String s) {
        if (s == null || "".equals(s)) {
            return s;
        }
        StringBuilder sb = new StringBuilder(s.length() + 16);
        for (int i = 0; i < s.length(); i++) {
            char c = s.charAt(i);
            switch (c) {
                case '>':
                    sb.append('>');// 全角大于号
                    break;
                case '<':
                    sb.append('<');// 全角小于号
                    break;
                default:
                    sb.append(c);
                    break;
            }
        }
        String value = stripXss(sb.toString());
        return value;
    }

    /**
     *过滤script脚本
     * @param value
     * @return
     */
    private static String stripXss(String value){
        if(StringUtils.isNotEmpty(value)){
            Pattern scriptPattern =Pattern.compile("<script>(.*?)</script>",  
                    Pattern.CASE_INSENSITIVE);
            value=scriptPattern.matcher(value).replaceAll("");
            
            scriptPattern = Pattern.compile("</script>",  
                    Pattern.CASE_INSENSITIVE);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("<script(.*?)>",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("javascript:",  
                    Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("<iframe>(.*?)</iframe>",  
                    Pattern.CASE_INSENSITIVE);  
            value = scriptPattern.matcher(value).replaceAll("");  

            scriptPattern = Pattern.compile("</iframe>",  
                    Pattern.CASE_INSENSITIVE);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("<iframe(.*?)>",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("onload(.*?)=",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("oninput(.*?)=",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("onerror(.*?)=",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("onclick(.*?)=",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("confirm(.*?)",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll("");  
            
            scriptPattern = Pattern.compile("onfocus(.*?)=",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll(""); 
            
            scriptPattern = Pattern.compile("alert(.*?)",  
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE  
                            | Pattern.DOTALL);  
            value = scriptPattern.matcher(value).replaceAll("");
            
        }
        return value;
    }
    
    
//    public static void main(String[] args) {
//        System.out.println(stripXss("alert(gergerrg)"));
//    }
    /**
     * 获取最原始的request
     * 
     * @return
     */
    public HttpServletRequest getOrgRequest() {
        return orgRequest;
    }

    /**
     * 获取最原始的request的静态方法
     * 
     * @return
     */
    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
        if (req instanceof XssHttpServletRequestWrapper) {
            return ((XssHttpServletRequestWrapper) req).getOrgRequest();
        }

        return req;
    }

}


### Spring Boot中防止XSS攻击解决方案 在Spring Boot应用程序中,防止跨站脚本攻击XSS)是确保用户输入和输出安全的关键。以下是几种常见且有效的XSS防护方法[^1]: #### 1. 使用Thymeleaf模板引擎进行自动转义 Thymeleaf是一个强大的模板引擎,它默认会对HTML输出进行自动转义。这意味着任何从模型传递到视图的数据都会被自动转换为安全的HTML实体,从而防止恶意脚本的执行[^2]。 ```html <div th:text="${userInput}"></div> ``` #### 2. 配置Web应用防火墙(WAF) 通过配置Web应用防火墙(例如Spring Security中的规则),可以拦截并阻止包含潜在危险字符的请求。这通常需要自定义过滤器来检查所有传入的HTTP参数[^3]。 ```java @Component public class XssFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); } } ``` #### 3. 手动对用户输入进行清理 如果某些场景下无法依赖框架提供的自动转义功能,则可以通过第三方库如OWASP ESAPI或Apache Commons Text中的`StringEscapeUtils`手动清理用户输入[^4]。 ```java import org.apache.commons.text.StringEscapeUtils; public String sanitizeInput(String userInput) { return StringEscapeUtils.escapeHtml4(userInput); } ``` #### 4. 设置Content-Security-Policy (CSP) 响应头 通过在HTTP响应中添加适当的CSP头部信息,可以进一步限制浏览器加载外部资源的能力,减少XSS风险[^5]。 ```java @Configuration public class WebConfig implements WebMvcConfigurer { @Bean public FilterRegistrationBean<CspFilter> cspFilter() { FilterRegistrationBean<CspFilter> registrationBean = new FilterRegistrationBean<>(); registrationBean.setFilter(new CspFilter()); registrationBean.addUrlPatterns("/*"); return registrationBean; } public static class CspFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse httpResponse = (HttpServletResponse) response; httpResponse.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline';"); chain.doFilter(request, response); } } } ```
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值