绝对好⽤的安全Filter(过滤SQL和XSS)
最近被安保测评搞得头疼,本来⽹站上有XSS处理,代码也是参考⽹络,结果发现不好使。此处呵呵了。。。。 ⼀般情况下百度出来的结果都是不好⽤的例⼦,虽然代码还挺全⾯,就是拦不住你说⽓⼈不⽓⼈。
下⾯发⼀个经过我实际应⽤好使的XSS过滤器,帮⼤家节省时间
/**
* 安全的Filter(过滤SQL和XSS)
*
*
* <!-- 解决xss & sql漏洞 -->
<filter>
<filter-name>SafeFilter</filter-name>
<filter-class>cn.he.xss.HttpServletRequestSafeFilter</filter-class>
<init-param>
<param-name>filterXSS</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>filterSQL</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SafeFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
*
*/
public class HttpServletRequestSafeFilter implements Filter{
public static final String FILTER_XSS = "filterXSS";
public static final String FILTER_SQL = "filterSQL";
FilterConfig filterConfig = null;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
@Override
public void destroy() {
this.filterConfig = null;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {        boolean filterXSS = false;
boolean filterSQL = false;
if (StringUtils.InitParameter(FILTER_XSS))) {
filterXSS = Boolean.InitParameter(FILTER_XSS));
}
if (StringUtils.InitParameter(FILTER_SQL))) {
filterSQL = Boolean.InitParameter(FILTER_SQL));
}
chain.doFilter(new HttpServletRequestSafeWrapper((HttpServletRequest) request, filterXSS, filterSQL), response);
}
}
/**
* 安全的HttpServlet(过滤SQL和XSS)
*
*/
*/
public class HttpServletRequestSafeWrapper extends HttpServletRequestWrapper{
private boolean filterXSS = true;
private boolean filterSQL = true;
private HttpServletRequest orgRequest = null;
public HttpServletRequestSafeWrapper(HttpServletRequest request) {
super(request);
}
public HttpServletRequestSafeWrapper(HttpServletRequest request, boolean filterXSS, boolean filterSQL) {        super(request);
orgRequest = request;
this.filterXSS = filterXSS;
this.filterSQL = filterSQL;
}
@Override
public Enumeration<String> getParameterNames() {
Set<String> parameterNameSafeList = wHashSet();
Enumeration parameterNames = ParameterNames();
while (parameterNames.hasMoreElements()) {
parameterNameSafeList.add(filterText(String.Element()), true));
}
umeration(parameterNameSafeList);
}
@Override
public Map<String, String[]> getParameterMap() {
Map<String, String[]> parameterSafeMap = wHashMap();
Set parameterNameSet = ParameterMap().keySet();
for (Object key : parameterNameSet) {
parameterSafeMap.put(String.valueOf(key), getParameterValues(String.valueOf(key)));
}
return parameterSafeMap;
}
@Override
public String[] getParameterValues(String name) {
String[] values = ParameterValues(filterText(name, true));
if (values == null || values.length == 0) {
return null;
}
int count = values.length;
String[] safeValues = new String[count];
for (int i = 0; i < count; i++) {
// 判断是否为JSON格式数据
if (isJsonFormat(values[i])) {
safeValues[i] = filterText(values[i], false);
} else {
safeValues[i] = filterText(values[i], true);
}
}
return safeValues;
}
/**
* 覆盖getParameter⽅法,将参数名和参数值都做xss & sql过滤。<br/>
* 如果需要获得原始的值,则通过ParameterValues(name)来获取<br/>
* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
@Override
@Override
public String getParameter(String name) {
String value = Parameter(filterText(name, true));
String safeValue = null;
if (StringUtils.isNotEmpty(value)) {
// 判断是否为JSON格式数据
if (isJsonFormat(value)) {
safeValue = filterText(value, false);
} else {
safeValue = filterText(value, true);
}
}
return safeValue;
}
/**
* 覆盖getHeader⽅法,将参数名和参数值都做xss & sql过滤。<br/>
* 如果需要获得原始的值,则通过Headers(name)来获取<br/>
* getHeaderNames 也可能需要覆盖
*/
@Override
public String getHeader(String name) {
String value = Header(filterText(name, true));
String safeValue = null;
if (StringUtils.isNotEmpty(value)) {
// 判断是否为JSON格式数据
if (isJsonFormat(value)) {
safeValue = filterText(value, false);
} else {
safeValue = filterText(value, true);
}
}
return safeValue;
}
@Override
public Enumeration<String> getHeaders(String name) {
Set<String> headerValSafeList = wHashSet();
Enumeration headerVals = Headers(name);
while (headerVals.hasMoreElements()) {
headerValSafeList.add(filterText(String.Element()), true));
}
umeration(headerValSafeList);
}
@Override
public Enumeration<String> getHeaderNames() {
Set<String> headerNamesSafeList = wHashSet();
Enumeration headerNames = HeaderNames();
while (headerNames.hasMoreElements()) {
headerNamesSafeList.add(filterText(String.Element()), true));        }
umeration(headerNamesSafeList);
}
/**
* 判断是否为JSON格式
*
* @param json
* @return
*/
private boolean isJsonFormat(String json) {
return StringUtils.isNotEmpty(json) && json.startsWith("{") && dsWith("}");
}
/**
/**
* 过滤XSS和SQL
*
* @param text
* @param isHtmlEscape
* @return
*/
private String filterText(final String text, final boolean isHtmlEscape) {
String filterText = StringUtils.isEmpty(text)?im();
if (filterXSS) {
filterText = cleanXSS(filterText);
}
if (filterSQL) {
filterText = stripSqlInjection(filterText);
}
if (isHtmlEscape) {
filterText = HtmlUtils.htmlEscape(filterText);
}
return filterText;
}
/**
* 获取最原始的request
*
* @return
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 获取最原始的request的静态⽅法
replaceall()*
* @return
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof HttpServletRequestSafeWrapper) {
return ((HttpServletRequestSafeWrapper) req).getOrgRequest();
}
return req;
}
private static final List<Pattern> XSS_PATTERN_LIST = wArrayList(Patternpile("<(no)?script[^>]*>.*?</(no)?script>", Pattern.CASE_INSENSITIVE)            Patternpile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Patternpile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Patternpile("(javascript:|vbscript:|view-source:)*", Pattern.CASE_INSENSITIVE),
Patternpile("<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Patternpile("(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*", Pattern.CASE_INSENSITIVE | Pat            Patternpile("<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondra
/**
* @param value 待处理内容
* @return
* @Description 过滤XSS脚本内容
*/
private static String cleanXSS(String value) {
if (StringUtils.isNotBlank(value)) {
Matcher matcher;
for (Pattern pattern : XSS_PATTERN_LIST) {
matcher = pattern.matcher(value);
if (matcher.find()) {
value = placeAll("");//将带有尖括号的脚本设置为空。在我的框架⾥如果是转码,还是会报没有相应的属性(尤其是基于hibernate)的情况,所

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。