자바 웹 filter 로 Xss 공격 방지(1)
<!--@ --> <filter> <filter-name>xssFilter</filter-name> <filter-class>com.yoro.core.web.XssFilter</filter-class> <init-param> <param-name>SplitChar</param-name> <param-value>@</param-value> </init-param> <init-param> <param-name>FilterChar</param-name> <param-value>>@<@\'@\"@\\@#@(@)</param-value>// xml , </init-param> <init-param> <param-name>ReplaceChar</param-name> <param-value>>'@<@‘@“@\@#@(@)</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
package com.yoro.core.web;
/** * @author zoro */
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter {
private String filterChar;
private String replaceChar;
private String splitChar;
FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterChar=filterConfig.getInitParameter("FilterChar");
this.replaceChar=filterConfig.getInitParameter("ReplaceChar");
this.splitChar=filterConfig.getInitParameter("SplitChar");
this.filterConfig = filterConfig;
}
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request,filterChar,replaceChar,splitChar), response);
}
}
package com.yoro.core.web;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/** * @author zoro */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private String[]filterChars;
private String[]replaceChars;
public XssHttpServletRequestWrapper(HttpServletRequest request,String filterChar,String replaceChar,String splitChar) {
super(request);
if(filterChar!=null&&filterChar.length()>0){
filterChars=filterChar.split(splitChar);
}
if(replaceChar!=null&&replaceChar.length()>0){
replaceChars=replaceChar.split(splitChar);
}
}
public String getQueryString() {
String value = super.getQueryString();
if (value != null) {
value = xssEncode(value);
}
return value;
}
/** * getParameter , xss 。<br/> * , super.getParameterValues(name) <br/> * getParameterNames,getParameterValues getParameterMap */
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
public String[] getParameterValues(String name) {
String[]parameters=super.getParameterValues(name);
if (parameters==null||parameters.length == 0) {
return null;
}
for (int i = 0; i < parameters.length; i++) {
parameters[i] = xssEncode(parameters[i]);
}
return parameters;
}
/** * getHeader , xss 。<br/> * , super.getHeaders(name) <br/> getHeaderNames */
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
/** * xss * * @param s * @return */
private String xssEncode(String s) {
if (s == null || s.equals("")) {
return s;
}
try {
s = URLDecoder.decode(s, "UTF-8");
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
for (int i = 0; i < filterChars.length; i++) {
if(s.contains(filterChars[i])){
s=s.replace(filterChars[i], replaceChars[i]);
}
}
return s;
}
}
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
Is Eclipse IDE dying?In 2014 the Eclipse IDE is the leading development environment for Java with a market share of approximately 65%. but ac...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.