實(shí)例如下:
XSSFilter.java
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
public void doFilter(ServletRequest servletrequest, ServletResponse servletresponse, FilterChain filterchain) throws IOException, ServletException { //flag = true 只做URL驗(yàn)證; flag = false 做所有字段的驗(yàn)證; boolean flag = true; if(flag){ //只對(duì)URL做xss校驗(yàn) HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest; HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse; String requesturi = httpServletRequest.getRequestURL().toString(); requesturi = URLDecoder.decode(requesturi, "UTF-8"); if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return; } if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return; } if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return ; } if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return ; } RequestWrapper rw = new RequestWrapper(httpServletRequest); String param = httpServletRequest.getQueryString(); if(!"".equals(param) && param != null) { param = URLDecoder.decode(param, "UTF-8"); String originalurl = requesturi + param; String sqlParam = param; //添加sql注入的判斷 if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){ sqlParam = rw.cleanSQLInject(param); } String xssParam = rw.cleanXSS(sqlParam); requesturi += "?"+xssParam; if(!xssParam.equals(param)){ System.out.println("requesturi::::::"+requesturi); httpServletResponse.sendRedirect(requesturi); System.out.println("no entered.");// filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse); return ; } } filterchain.doFilter(servletrequest, servletresponse); }else{ //對(duì)請(qǐng)求中的所有東西都做校驗(yàn),包括表單。此功能校驗(yàn)比較嚴(yán)格容易屏蔽表單正常輸入,使用此功能請(qǐng)注意。 filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse); } }requestMapping: public RequestWrapper(){ super(null); } public RequestWrapper(HttpServletRequest httpservletrequest) { super(httpservletrequest); } public String[] getParameterValues(String s) { String str[] = super.getParameterValues(s); if (str == null) { return null; } int i = str.length; String as1[] = new String[i]; for (int j = 0; j < i; j++) { as1[j] = cleanXSS(cleanSQLInject(str[j])); } return as1; } public String getParameter(String s) { String s1 = super.getParameter(s); if (s1 == null) { return null; } else { return cleanXSS(cleanSQLInject(s1)); } } public String getHeader(String s) { String s1 = super.getHeader(s); if (s1 == null) { return null; } else { return cleanXSS(cleanSQLInject(s1)); } } public String cleanXSS(String src) { String temp =src; System.out.println("xss---temp-->"+src); src = src.replaceAll("<", "<").replaceAll(">", ">"); // if (src.indexOf("address")==-1) // { src = src.replaceAll("\\(", "(").replaceAll("\\)", ")"); //} src = src.replaceAll("'", "'"); Pattern pattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE); Matcher matcher=pattern.matcher(src); src = matcher.replaceAll(""); pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE); matcher=pattern.matcher(src); src = matcher.replaceAll("\"\""); //增加腳本 src = src.replaceAll("script", "").replaceAll(";", "") .replaceAll("\"", "").replaceAll("@", "") .replaceAll("0x0d", "") .replaceAll("0x0a", "").replaceAll(",", ""); if(!temp.equals(src)){ System.out.println("輸入信息存在xss攻擊!"); System.out.println("原始輸入信息-->"+temp); System.out.println("處理后信息-->"+src); } return src; } //需要增加通配,過(guò)濾大小寫(xiě)組合 public String cleanSQLInject(String src) { String temp =src; src = src.replaceAll("insert", "forbidI") .replaceAll("select", "forbidS") .replaceAll("update", "forbidU") .replaceAll("delete", "forbidD") .replaceAll("and", "forbidA") .replaceAll("or", "forbidO"); if(!temp.equals(src)){ System.out.println("輸入信息存在SQL攻擊!"); System.out.println("原始輸入信息-->"+temp); System.out.println("處理后信息-->"+src); } return src; } |
xml配置:
|
1
2
3
4
5
6
7
8
9
10
11
12
|
<filter> <filter-name>XssFilter</filter-name> <filter-class>cn.com.jsoft.xss.XSSFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> |
以上代碼僅僅將特殊的sql字符,特殊script腳本字符處理掉,具體的頁(yè)面處理還需要后臺(tái)處理!!
關(guān)于這篇java 過(guò)濾器filter防sql注入的實(shí)現(xiàn)代碼就是小編分享給大家的全部?jī)?nèi)容了,希望能給大家一個(gè)參考,也希望大家多多支持服務(wù)器之家。
