Preventing XSS with JSOUP

最新推荐文章于 2025-09-04 18:55:33 发布

转载最新推荐文章于 2025-09-04 18:55:33 发布 · 78 阅读

0 ·

CC 4.0 BY-SA版权

原文链接：https://my.oschina.net/ydsakyclguozi/blog/490169

文章标签：

#javascript #python #php #ViewUI

本文详细介绍了如何使用JSOUP库来检测和清理网页中潜在的XSS攻击代码，通过实例展示了如何验证URL是否含有XSS脚本，并使用`clean()`方法进行清理。

2019独角兽企业重金招聘Python工程师标准>>>

JSOUP is XSS prevention tool. Jsoup can detect xss script in html and url also. Now i am giving example with url. Jsoup can validate the url with the help of "isValidate()" method. "isValidate()" method return type is boolean. If return type is true that means url having xss script so we need to clean the url with the help of "clean()" method. "clean()" method will return clean url as string.

JSOUP can handle all cheat sheet scenarios. url of cheat sheet is: "https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet"
JSOUP has clear api. "http://jsoup.org/apidocs/"

Antisamy also one of the tool to prevent xss script but, its customized one so we need to configure everything. Its not better than JSOUP

Steps to use JSOUP:

1. Download jsoup jar file

2. Write the code like the following

import java.io.UnsupportedEncodingException;

import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;

public class JsoupSolution {
	public static void main(String[] args) throws UnsupportedEncodingException {
		/*
		 * Sequrity issue scenario
		 */

		String input = "GET /selfservice/forgotpwd.jsp?ssError=2&returnUrl=https://stg-wealthinteractive.skandiainternational.com/SecurityAndRoles/SignIn/SignIn?authn_try_count=06f080\"style%3d\"behavior%3aurl(%23default%23time2)\"onbegin%3d\"alert('xss')\"f6bc57307de&contextType=external&username=string&contextValue=%2Foam&password=sercure_string&challenge_url=https%3A%2F%2Fstg-wealthinteractive.skandiainternational.com%2FSecurityAndRoles%2FSignIn%2FSignIn&request_id=6990594052748823869&OAM_REQ=&locale=en_GB&resource_url=http%253A%252F%252Fstg-wealthinteractive.skandiainternational.com%252Fauth%252Flevel2.jsp%253FreturnURL%25253Dhttp%2525253A%2525252F%2525252Fstg-wealthinteractive.skandiainternational.com%2525252Fselfservice%2525252Flevel3.jsp%2525253FreturnURL%252525253Dhttp%25252525253A%25252525252F%25252525252Fstg-wealthinteractive.skandiainternational.com%25252525252FSkandia%25252525252Flogout HTTP/1.1";
		String unsafe = "';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>";
		String unsafe1 = "<IMG SRC=javascript:alert('XSS')> ";
		// String input =
		// "\"behavior%3aurl(%23default%23time2)\"onbegin%3d\"alert('xss')\"";
		// String input = "<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">";
		// String input = "<form BACKGROUND=\"javascript:alert('XSS')\">";
		// String input = "<form bgcolor=\"#000000\"";
		System.out.println("Input : " + input);
		boolean check = Jsoup.isValid(unsafe1, Whitelist.relaxed());
		if (!check) {
			System.out.println("its invalid string");
			String safe = Jsoup.clean(unsafe1, Whitelist.basic());
			System.out.println("Cleaned code: " + safe);
			System.out.println("its cleaned string by jsoup");
			boolean oneMoreCheck = Jsoup.isValid(safe, Whitelist.basic());
			if (oneMoreCheck) {
				System.out.println("its safe code [after clean]");
			} else {
				System.out.println("its Harmfull code");
			}
		} else {
			System.out.println("its valid string");
		}
	}
}

转载于:https://my.oschina.net/ydsakyclguozi/blog/490169