使用AntiSamy防止XSS攻击
使用AntiSamy防止XSS攻击
CurtainRight 发表于2年前
使用AntiSamy防止XSS攻击
  • 发表于 2年前
  • 阅读 268
  • 收藏 3
  • 点赞 0
  • 评论 0

标题:腾讯云 新注册用户域名抢购1元起>>>   

摘要: 主要是防止黑客用脚本进行攻击网站,也可以说是躲避很多时候上线的安全检查

参考文档:

http://www.2cto.com/Article/201410/342040.html

在web.xml中加上xml过滤器的配置

 <filter>
		<filter-name>XssFilter</filter-name>
		<filter-class>com.cy.frame.filter.XssFilter</filter-class>
		<async-supported>true</async-supported>
		<init-param>
			<param-name>excludedPages</param-name>
			<param-value>
	          *.js,*.gif,*.jpg,*.png,*.css,*.ico,
	           /rest/*/saveOrUpdateRest,(这里过滤你对应接口,防止要提交的内容带有html元素。这里的接口不会被xss拦截)
			</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>XssFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping> -->

XssFilter

package com.cy.frame.filter;

import java.io.IOException;
import java.util.Iterator;
import java.util.Map;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;

 
/**
 *
 * <ol>XSS注入拦截
 * <li>{@link  }</li>
 * </ol>
 * @see
 * @author wanghui 
 * @since 1.0
 * @2016年3月14日
 *
 */
public class XssFilter implements Filter {

	/**
	 * 需要排除的页面
	 */
	private String excludedPages;

	private String[] excludedPageArray;
	
	@SuppressWarnings("unused")
	private FilterConfig filterConfig;

	public void destroy() {
		this.filterConfig = null;
	}

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {

		boolean isExcludedPage = false;

		HttpServletRequest request2 = (HttpServletRequest) request;
		//判断是否需要XSS攻击防护
		isExcludedPage = isMatchUrl(excludedPageArray,   request2) ;
		
		if (isExcludedPage) {
			chain.doFilter(request, response);
		} else {
			chain.doFilter(new XssRequestWrapper(request2), response);
		}

	}

	/**
	 * 自定义过滤规则
	 */
	public void init(FilterConfig filterConfig) throws ServletException {
		this.filterConfig = filterConfig;
		excludedPages = filterConfig.getInitParameter("excludedPages");
		excludedPageArray = new String[] {};
		if (StringUtils.isNotEmpty(excludedPages)) {
			excludedPageArray = excludedPages.replaceAll("[\\s]", "")
					.split(",");
		}
	}
  /**
	 * URL是否符合规则列表
	 * @param patterns
	 * @param request
	 * @return
	 */
   public static boolean isMatchUrl(String[] patterns,	HttpServletRequest request) {
		String ctx_path = request.getContextPath();
		String request_uri = request.getRequestURI();
		String action = request_uri.substring(ctx_path.length()).replaceAll("//", "/");
		return PatternMatchUtils.simpleMatch(patterns, action);
	}

	/**
	 * 
	 * <ol>装饰器模式加强request处理
	 * <li>{@link  }</li>
	 * 
	 * </ol>
	 * @see
	 * @author wanghui 
	 * @since 1.0
	 * @2016年3月14日
	 *
	 */
	static class XssRequestWrapper extends HttpServletRequestWrapper {

		private static Policy policy = null;

		static {
			try {
				policy = Policy.getInstance( XssRequestWrapper.class.getClassLoader()
						.getResourceAsStream("antisamy-anythinggoes.xml"));
			} catch (PolicyException e) {
				 
			}
		}

		public XssRequestWrapper(HttpServletRequest request) {
			super(request);
		}

		@Override
		@SuppressWarnings("rawtypes")
		public Map<String, String[]> getParameterMap() {
			Map<String, String[]> request_map = super.getParameterMap();
			Iterator iterator = request_map.entrySet().iterator();
			while (iterator.hasNext()) {
				Map.Entry me = (Map.Entry) iterator.next();
				String[] values = (String[]) me.getValue();
				for (int i = 0; i < values.length; i++) {
					values[i] = xssClean(values[i]);
				}
			}
			return request_map;
		}

		@Override
		public String[] getParameterValues(String paramString) {
			String[] arrayOfString1 = super.getParameterValues(paramString);
			if (arrayOfString1 == null)
				return null;
			int i = arrayOfString1.length;
			String[] arrayOfString2 = new String[i];
			for (int j = 0; j < i; j++)
				arrayOfString2[j] = xssClean(arrayOfString1[j]);
			return arrayOfString2;
		}

		@Override
		public String getParameter(String paramString) {
			String str = super.getParameter(paramString);
			if (str == null)
				return null;
			return xssClean(str);
		}

		@Override
		public String getHeader(String paramString) {
			String str = super.getHeader(paramString);
			if (str == null)
				return null;
			return xssClean(str);
		}

		private String xssClean(String value) {
			AntiSamy antiSamy = new AntiSamy();
			try {
				// CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath);
				final CleanResults cr = antiSamy.scan(value, policy);
				// 安全的HTML输出
				return cr.getCleanHTML() ;
			} catch (ScanException e) {
			} catch (PolicyException e) {
			}
			return value;
		}

	}

}

 配置文件(antisamy-anythinggoes.xml下载地址)

https://yunpan.cn/cBk3ZhvSC8DJw  访问密码 1cb6

相关依赖jar

<dependency>
      <groupId>org.owasp.antisamy</groupId>
      <artifactId>antisamy</artifactId>
      <version>1.5.3</version>
      <scope>compile</scope>
    </dependency>
    <dependency>
      <groupId>org.owasp.antisamy</groupId>
      <artifactId>antisamy-sample-configs</artifactId>
      <version>1.5.3</version>
      <scope>compile</scope>
    </dependency>

 

共有 人打赏支持
粉丝 6
博文 117
码字总数 54888
×
CurtainRight
如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!
* 金额(元)
¥1 ¥5 ¥10 ¥20 其他金额
打赏人
留言
* 支付类型
微信扫码支付
打赏金额:
已支付成功
打赏金额: