pck9l3ejt
/
Library
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

添加xss过滤,别再冲了别再冲了,不想CV

Browse Source
pull/5/head
you 5 years ago
parent 7ac9a1e1d1
commit d69ad09644
2 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File

20
WebContent/WEB-INF/web.xml
Unescape View File

@ -1,5 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
<filter-class>filter.CharacterEncodingFilter</filter-class>
@ -8,6 +20,14 @@
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>filter.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>AdminFilter</filter-name>
<filter-class>filter.AdminFilter</filter-class>

89
src/filter/XSSFilter.java
Unescape View File

@ -0,0 +1,89 @@
package filter;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XSSFilter implements Filter {
public String filter(String htmlStr){
if(htmlStr == null) {
return null;
}
String regEx_script = "<script[^>]*?>[\\s\\S]*?<\\/script>"; // 定义script的正则表达式
String regEx_style = "<style[^>]*?>[\\s\\S]*?<\\/style>"; // 定义style的正则表达式
String regEx_html = "<[^>]+>"; // 定义HTML标签的正则表达式
Pattern p_script = Pattern.compile(regEx_script,Pattern.CASE_INSENSITIVE);
Matcher m_script = p_script.matcher(htmlStr);
htmlStr=m_script.replaceAll(""); // 过滤script标签
Pattern p_style=Pattern.compile(regEx_style,Pattern.CASE_INSENSITIVE);
Matcher m_style=p_style.matcher(htmlStr);
htmlStr=m_style.replaceAll(""); // 过滤style标签
Pattern p_html=Pattern.compile(regEx_html,Pattern.CASE_INSENSITIVE);
Matcher m_html=p_html.matcher(htmlStr);
htmlStr=m_html.replaceAll(""); // 过滤html标签
return htmlStr.trim(); // 返回文本字符串
}
/**
* 使ServletRequest
* getParameter() getParameterValues()
* Request,getParameter()
* getParameterValues()
*/
class Request extends HttpServletRequestWrapper{// HttpServletRequest //Wrapper是servletRequest的实现类
public Request(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
// 返回过滤后的参数值
return filter(super.getRequest().getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
// 获取所有参数值
String[] values = super.getRequest().getParameterValues(name);
// 通过循环对所有参数进行进行过滤
for(int i=0;i<values.length;i++){
values[i] = filter(values[i]);
}
return values;
}
}
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
/*if(encoding != null){
request.setCharacterEncoding(encoding);
//将request替换为重写后的request
request = new Request((HttpServletRequest) request);
response.setContentType("text/html; charset = "+encoding);
}*/
request = new Request((HttpServletRequest) request);
chain.doFilter(request, response);
}
/**
* @see Filter#destroy()
*/
public void destroy() {
}
}
Write Preview
Loading…
Cancel
Save