java防止脚本注入,通过拦截器实现
2014-10-10 10:17
447 查看
1:利用action过滤
2:利用拦截器过滤
3:利用拦截器
package com.tsou.comm.servlet; import java.util.Enumeration; import java.util.Map; import java.util.Vector; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * * <p class="detail"> * 功能:封装的请求处理特殊字符 * </p> * @ClassName: TsRequest * @version V1.0 * @date 2014年9月25日 * @author wangsheng */ public class TsRequest extends HttpServletRequestWrapper { private Map params; public TsRequest(HttpServletRequest request, Map newParams) { super(request); this.params = newParams; } public Map getParameterMap() { return params ; } public Enumeration getParameterNames() { Vector l = new Vector( params.keySet()); return l.elements(); } public String[] getParameterValues(String name) { Object v = params.get(name); if (v == null ) { return null ; } else if (v instanceof String[]) { String[] value = (String[]) v; for (int i = 0; i < value.length; i++) { value[i] = value[i].replaceAll( "<", "<" ); value[i] = value[i].replaceAll( ">", ">" ); } return (String[]) value; } else if (v instanceof String) { String value = (String) v; value = value.replaceAll( "<", "<" ); value = value.replaceAll( ">", ">" ); return new String[] { (String) value }; } else { return new String[] { v.toString() }; } } public String getParameter(String name) { Object v = params.get(name); if (v == null ) { return null ; } else if (v instanceof String[]) { String[] strArr = (String[]) v; if (strArr.length > 0) { String value = strArr[0]; value = value.replaceAll( "<", "<" ); value = value.replaceAll( "<", ">" ); return value; } else { return null ; } } else if (v instanceof String) { String value = (String) v; value = value.replaceAll( "<", "<" ); value = value.replaceAll( ">", ">" ); return (String) value; } else { return v.toString(); } } }
2:利用拦截器过滤
package com.kadang.wp.mobile.wap.core.common; import java.io.IOException; import java.util.Enumeration; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.StringUtils; /** * XSS 检查过滤器 * * @author jianghao * @date 2014-08-22 * */ public class XSSCheckFilter implements Filter { // 需要拦截的JS字符关键字 private String errorPath; // 非法xss 字符 private static String[] SAFE_LESS = { "set-cookie", "<", "%3c", "%3e", ">", "\\" }; @Override public void init(FilterConfig filterConfig) throws ServletException { this.setErrorPath(filterConfig.getInitParameter("errorPath")); } @Override public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { boolean isSafe = true; Enumeration<?> params = req.getParameterNames(); HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) resp; String requestUrl = request.getRequestURI(); if (isSafeStr(requestUrl)) { while (params.hasMoreElements()) { String paramKey = (String) params.nextElement(); String paramValue = request.getParameter(paramKey); if (StringUtils.isNotBlank(paramValue)) { if (!isSafeStr(paramValue)) { isSafe = false; break; } } } } else { isSafe = false; } if (isSafe) { chain.doFilter(req, resp); } else { request.setAttribute("error", "url or params is full of illegal XSS character"); request.getRequestDispatcher(this.getErrorPath()).forward(request, response); return; } } /** * 判断URL是否存在非法字符 * */ private boolean isSafeStr(String str) { if (StringUtils.isNotBlank(str)) { for (String s : SAFE_LESS) { if (str.toLowerCase().contains(s)) { return false; } } } return true; } @Override public void destroy() { } public String getErrorPath() { return errorPath; } public void setErrorPath(String errorPath) { this.errorPath = errorPath; } }
3:利用拦截器
拦截URL
<filter> <filter-name> characterFilter</filter-name > <filter-class> com.tsou.comm.filter.CharacterFilter</filter-class > </filter> <filter-mapping> <filter-name> characterFilter</filter-name > <url-pattern> /*</ url-pattern> </filter-mapping>
相关文章推荐
- java防止脚本注入,通过拦截器实现
- 【原创】JAVA通过过滤器防止脚本注入
- java通过ftp和sftp上传war包上传到Linux服务器实现自动重启tomcat的脚本代码
- springMVC通过Filter实现防止xss注入
- Spring MVC拦截器通过注解方式实现防止表单重复提交
- 关于java实现的mapreduce程序打包后通过脚本运行出现classnotfound异常
- 利用拦截器实现sql防止注入
- java防止页面脚本注入 特殊字符过滤器
- 如何理解java中的依赖注入 通过构造函数和反射机制来实现的
- Java防止跨站脚本(XSS)注入攻击
- java防止XSS攻击,脚本注入
- java防止xss脚本注入攻击,采用spring工具类方式
- springMVC通过Filter实现防止xss注入
- Java防止跨站脚本(XSS)注入攻击
- 模拟实现Struts拦截器-蕴含着代理模式,AOP,工厂模式,依赖注入,Java 反射,动态构造等机制
- WEB应用通过Spring注入实现类
- (源码实例)通过层DIV实现,当鼠标放在链接上面,显示图片及文字 - 流星絮语 JAVA学习笔记 - CSDNBlog
- java脚本实现下拉框和文本框的数据交换
- java通过代理服务器实现对FTP和HTTP的访问
- 通过HttpModule实现数据库防注入