Java处理XSS漏洞的工具类代码
// 需要滤除的脚本事件关键字
String[] eventKeywords = { “onmouseover”, “onmouseout”, “onmousedown”,“onmouseup”, “onmousemove”, “onclick”, “ondblclick”,
“onkeypress”, “onkeydown”, “onkeyup”, “ondragstart”,
“onerrorupdate”, “onhelp”, “onreadystatechange”, “onrowenter”,“onrowexit”, “onselectstart”, “onload”, “onunload”,
“onbeforeunload”, “onblur”, “onerror”, “onfocus”, “onresize”,
“onscroll”, “oncontextmenu”, “alert” };
content = replace(content, “ script”, “ script”, false);
content = replace(content, “ /script”, “ /script”, false);
content = replace(content, “ marquee”, “ marquee”, false);
content = replace(content, “ /marquee”, “ /marquee”, false);
content = replace(content, “…“, “_”, false);// 将单引号替换成下划线
content = replace(content, “\”“, “_”, false);// 将双引号替换成下划线
// 滤除脚本事件代码
for (int i = 0; i eventKeywords.length; i++) {
content = replace(content, eventKeywords[i],
“_” + eventKeywords[i], false); // 添加一个”_”, 使事件代码无效
return content;
* 将字符串source 中的oldStr 替换为newStr, 并以大小写敏感方式进行查 * @param source
* 需要替换的源字符串
* @param oldStr
* 需要被替换的老字符串
* @param newStr
* 替换为的新字符串
private static String replace(String source, String oldStr, String newStr) {
return replace(source, oldStr, newStr, true);
* 将字符串source 中的oldStr 替换为newStr, matchCase 为是否设置大小写敏感查 * @param source
* 需要替换的源字符串
* @param oldStr
* 需要被替换的老字符串
* @param newStr
* 替换为的新字符串
* @param matchCase
* 是否需要按照大小写敏感方式查
private static String replace(String source, String oldStr, String newStr,
boolean matchCase) {
if (source == null) {
return null;
// 首先检查旧字符串是否存在, 不存在就不进行替换
if (LowerCase().LowerCase()) == -1) {
return source;
int findStartPos = 0;
int a = 0;
while (a -1) {
int b = 0;
String str1, str2, str3, str4, strA, strB;
str1 = source;
str2 = LowerCase();
str3 = oldStr;
str4 = LowerCase();
if (matchCase) {
strA = str1;
strB = str3;
} else {
strA = str2;
strB = str4;
a = strA.indexOf(strB, findStartPos);
if (a -1) {
b = oldStr.length();
findStartPos = a + b;
StringBuffer bbuf = new StringBuffer(source); source = place(a, a + b, newStr) + ““;
// 新的查开始点位于替换后的字符串的结尾
findStartPos = findStartPos + newStr.length() - b;
return source;
public static void main(String [] args){
springframework远程代码执行漏洞/
/String str = “./fabu-advSousuo.jsp?userName=xxx script alert(123); /script password=yyy”;
String str= “192.168.63.87:7001/xxx/xxxx/fabu-search.jsp?searchText= script alert(…11‟); /script
System.out.placeHtmlCode(str));
}
}
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论