java防止脚本注入,通过拦截器实现
2014-10-10 10:17
447 查看
1:利用action过滤
2:利用拦截器过滤
3:利用拦截器
package com.tsou.comm.servlet;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
*
* <p class="detail">
* 功能:封装的请求处理特殊字符
* </p>
* @ClassName: TsRequest
* @version V1.0
* @date 2014年9月25日
* @author wangsheng
*/
public class TsRequest extends HttpServletRequestWrapper {
private Map params;
public TsRequest(HttpServletRequest request, Map newParams) {
super(request);
this.params = newParams;
}
public Map getParameterMap() {
return params ;
}
public Enumeration getParameterNames() {
Vector l = new Vector( params.keySet());
return l.elements();
}
public String[] getParameterValues(String name) {
Object v = params.get(name);
if (v == null ) {
return null ;
} else if (v instanceof String[]) {
String[] value = (String[]) v;
for (int i = 0; i < value.length; i++) {
value[i] = value[i].replaceAll( "<", "<" );
value[i] = value[i].replaceAll( ">", ">" );
}
return (String[]) value;
} else if (v instanceof String) {
String value = (String) v;
value = value.replaceAll( "<", "<" );
value = value.replaceAll( ">", ">" );
return new String[] { (String) value };
} else {
return new String[] { v.toString() };
}
}
public String getParameter(String name) {
Object v = params.get(name);
if (v == null ) {
return null ;
} else if (v instanceof String[]) {
String[] strArr = (String[]) v;
if (strArr.length > 0) {
String value = strArr[0];
value = value.replaceAll( "<", "<" );
value = value.replaceAll( "<", ">" );
return value;
} else {
return null ;
}
} else if (v instanceof String) {
String value = (String) v;
value = value.replaceAll( "<", "<" );
value = value.replaceAll( ">", ">" );
return (String) value;
} else {
return v.toString();
}
}
}2:利用拦截器过滤
package com.kadang.wp.mobile.wap.core.common;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
/**
* XSS 检查过滤器
*
* @author jianghao
* @date 2014-08-22
*
*/
public class XSSCheckFilter implements Filter {
// 需要拦截的JS字符关键字
private String errorPath;
// 非法xss 字符
private static String[] SAFE_LESS = { "set-cookie", "<", "%3c", "%3e", ">", "\\" };
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.setErrorPath(filterConfig.getInitParameter("errorPath"));
}
@Override
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException,
ServletException {
boolean isSafe = true;
Enumeration<?> params = req.getParameterNames();
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) resp;
String requestUrl = request.getRequestURI();
if (isSafeStr(requestUrl)) {
while (params.hasMoreElements()) {
String paramKey = (String) params.nextElement();
String paramValue = request.getParameter(paramKey);
if (StringUtils.isNotBlank(paramValue)) {
if (!isSafeStr(paramValue)) {
isSafe = false;
break;
}
}
}
} else {
isSafe = false;
}
if (isSafe) {
chain.doFilter(req, resp);
} else {
request.setAttribute("error", "url or params is full of illegal XSS character");
request.getRequestDispatcher(this.getErrorPath()).forward(request, response);
return;
}
}
/**
* 判断URL是否存在非法字符
* */
private boolean isSafeStr(String str) {
if (StringUtils.isNotBlank(str)) {
for (String s : SAFE_LESS) {
if (str.toLowerCase().contains(s)) {
return false;
}
}
}
return true;
}
@Override
public void destroy() {
}
public String getErrorPath() {
return errorPath;
}
public void setErrorPath(String errorPath) {
this.errorPath = errorPath;
}
}3:利用拦截器
拦截URL
<filter> <filter-name> characterFilter</filter-name > <filter-class> com.tsou.comm.filter.CharacterFilter</filter-class > </filter> <filter-mapping> <filter-name> characterFilter</filter-name > <url-pattern> /*</ url-pattern> </filter-mapping>
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- java防止脚本注入,通过拦截器实现
- 【原创】JAVA通过过滤器防止脚本注入
- java通过ftp和sftp上传war包上传到Linux服务器实现自动重启tomcat的脚本代码
- springMVC通过Filter实现防止xss注入
- Spring MVC拦截器通过注解方式实现防止表单重复提交
- 关于java实现的mapreduce程序打包后通过脚本运行出现classnotfound异常
- 利用拦截器实现sql防止注入
- java防止页面脚本注入 特殊字符过滤器
- 如何理解java中的依赖注入 通过构造函数和反射机制来实现的
- Java防止跨站脚本(XSS)注入攻击
- java防止XSS攻击,脚本注入
- java防止xss脚本注入攻击,采用spring工具类方式
- springMVC通过Filter实现防止xss注入
- Java防止跨站脚本(XSS)注入攻击
- 模拟实现Struts拦截器-蕴含着代理模式,AOP,工厂模式,依赖注入,Java 反射,动态构造等机制
- WEB应用通过Spring注入实现类
- (源码实例)通过层DIV实现,当鼠标放在链接上面,显示图片及文字 - 流星絮语 JAVA学习笔记 - CSDNBlog
- java脚本实现下拉框和文本框的数据交换
- java通过代理服务器实现对FTP和HTTP的访问
- 通过HttpModule实现数据库防注入