对于程序员来说安全防御,无非从两个方面考虑,要么前端要么后台。
一、首先从前端考虑过滤一些非法字符。
前端的主控js中,在<textarea> 输入框标签中,
找到点击发送按钮后,追加到聊天panel前 进行过滤Input输入内容
1 // 过滤XSS反射型漏洞
2 filterInputTxt: function (html) {
3 html = html.replace(/(.*<[^>]+>.*)/g,""); // HTML标记
4 html = html.replace(/([\r\n])[\s]+/g, ""); // 换行、空格
5 html = html.replace(/<!--.*-->/g, ""); // HTML注释
6 html = html.replace(/[‘"‘’“”!@#$%^&*{}!¥()()×+=]/g, ""); // 非法字符
7 html = html.replace("alert","");
8 html = html.replace("eval","");
9 html = html.replace(/(.*javascript.*)/gi,"");
10 if (html === "") {
11 html = "你好";
12 }
13 return html;
14 }
二、在后台API服务解决反射型XSS漏洞
thinking:一般来说前端可以过滤一下基本的非法恶意代码攻击,如果恶意脚本被请求到服务端啦,那么就需要请求参数未请求接口前进行过滤一些非法字符。
handle:1、自定义过滤器实现Filter接口
2、在doFilter方法中对request、response进行设置处理
##处理request请求参数。
1 /*
2 * Copyright (C), 2001-2019, xiaoi机器人
3 * Author: han.sun
4 * Date: 2019/2/28 11:39
5 * History:
6 * <author> <time> <version> <desc>
7 * 作者姓名 修改时间 版本号 描述
8 */
9 package com.eastrobot.robotdev.filter;
10
11 import javax.servlet.http.HttpServletRequest;
12 import javax.servlet.http.HttpServletRequestWrapper;
13 import java.util.Map;
14 import java.util.regex.Matcher;
15 import java.util.regex.Pattern;
16
17 /**
18 * 〈一句话功能简述〉<br>
19 * TODO(解决反射型XSS漏洞攻击)
20 *
21 * @author han.sun
22 * @version 1.0.0
23 * @since 2019/2/28 11:39
24 */
25 public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
26
27 /**
28 * 定义script的正则表达式
29 */
30 private static final String REG_SCRIPT = "<script[^>]*?>[\\s\\S]*?</script>";
31
32 /**
33 * 定义style的正则表达式
34 */
35 private static final String REG_STYLE = "<style[^>]*?>[\\s\\S]*?</style>";
36
37 /**
38 * 定义HTML标签的正则表达式
39 */
40 private static final String REG_HTML = "<[^>]+>";
41
42 /**
43 * 定义所有w标签
44 */
45 private static final String REG_W = "<w[^>]*?>[\\s\\S]*?</w[^>]*?>";
46
47 private static final String REG_JAVASCRIPT = ".*javascript.*";
48
49
50 XssHttpServletRequestWrapper(HttpServletRequest request) {
51 super(request);
52 }
53
54 @SuppressWarnings("rawtypes")
55 @Override
56 public Map<String, String[]> getParameterMap() {
57 Map<String, String[]> requestMap = super.getParameterMap();
58 for (Object o : requestMap.entrySet()) {
59 Map.Entry me = (Map.Entry) o;
60 String[] values = (String[]) me.getValue();
61 for (int i = 0; i < values.length; i++) {
62 values[i] = xssClean(values[i]);
63 }
64 }
65 return requestMap;
66 }
67
68 @Override
69 public String[] getParameterValues(String paramString) {
70 String[] values = super.getParameterValues(paramString);
71 if (values == null) {
72 return null;
73 }
74 int i = values.length;
75 String[] result = new String[i];
76 for (int j = 0; j < i; j++) {
77 result[j] = xssClean(values[j]);
78 }
79 return result;
80 }
81
82 @Override
83 public String getParameter(String paramString) {
84 String str = super.getParameter(paramString);
85 if (str == null) {
86 return null;
87 }
88 return xssClean(str);
89 }
90
91
92 @Override
93 public String getHeader(String paramString) {
94 String str = super.getHeader(paramString);
95 if (str == null) {
96 return null;
97 }
98 str = str.replaceAll("[\r\n]", "");
99 return xssClean(str);
100 }
101
102 /**
103 * [xssClean 过滤特殊、敏感字符]
104 * @param value [请求参数]
105 * @return [value]
106 */
107 private String xssClean(String value) {
108 if (value == null || "".equals(value)) {
109 return value;
110 }
111 Pattern pw = Pattern.compile(REG_W, Pattern.CASE_INSENSITIVE);
112 Matcher mw = pw.matcher(value);
113 value = mw.replaceAll("");
114
115 Pattern script = Pattern.compile(REG_SCRIPT, Pattern.CASE_INSENSITIVE);
116 value = script.matcher(value).replaceAll("");
117
118 Pattern style = Pattern.compile(REG_STYLE, Pattern.CASE_INSENSITIVE);
119 value = style.matcher(value).replaceAll("");
120
121 Pattern htmlTag = Pattern.compile(REG_HTML, Pattern.CASE_INSENSITIVE);
122 value = htmlTag.matcher(value).replaceAll("");
123
124 Pattern javascript = Pattern.compile(REG_JAVASCRIPT, Pattern.CASE_INSENSITIVE);
125 value = javascript.matcher(value).replaceAll("");
126 return value;
127 }
128
129 }
##自定义Filter过滤器。
1 /*
2 * Copyright (C), 2001-2019, xiaoi机器人
3 * Author: han.sun
4 * Date: 2019/2/28 11:38
5 * History:
6 * <author> <time> <version> <desc>
7 * 作者姓名 修改时间 版本号 描述
8 */
9 package com.eastrobot.robotdev.filter;
10
11 import javax.servlet.*;
12 import javax.servlet.http.HttpServletRequest;
13 import javax.servlet.http.HttpServletResponse;
14 import java.io.IOException;
15
16 /**
17 * 〈在服务器端对 Cookie 设置了HttpOnly 属性,
18 * 那么js脚本就不能读取到cookie,
19 * 但是浏览器还是能够正常使用cookie〉<br>
20 * TODO(禁用js脚步读取用户浏览器中的Cookie)
21 *
22 * @author han.sun
23 * @version 1.0.0
24 * @since 2019/2/28 16:38
25 */
26 public class XssFilter implements Filter {
27
28 @Override
29 public void init(FilterConfig filterConfig) throws ServletException {
30
31 }
32
33 @Override
34 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
35
36 HttpServletRequest req = (HttpServletRequest) request;
37 HttpServletResponse resp = (HttpServletResponse) response;
38
39 // 解决动态脚本获取网页cookie,将cookie设置成HttpOnly
40 String sessionId = req.getSession().getId();
41 resp.setHeader("SET-COOKIE", "JSESSIONID=" + sessionId + "; HttpOnly");
42 resp.setHeader("x-frame-options", "SAMEORIGIN");
43
44 chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
45 }
46
47 @Override
48 public void destroy() {
49 }
50 }
需要在web.xml文件中添加自定义过滤器映射,让其起作用
1 <filter> 2 <filter-name>XssEscape</filter-name> 3 <filter-class>com.eastrobot.robotdev.filter.XssFilter</filter-class> 4 </filter> 5 <filter-mapping> 6 <filter-name>XssEscape</filter-name> 7 <url-pattern>/*</url-pattern> 8 </filter-mapping>
原文地址:https://www.cnblogs.com/han-sun/p/10463834.html
时间: 2024-10-07 18:39:32