java防止XSS注入的实用工具
2017-12-20 20:11
363 查看
XSS注入是数据写入数据库之前的必做操作,否则任由用户输入,则可导致数据库数据的注入,轻者影响数据展示,重者早造成数据库崩溃
下面是项目中经常用到的处理XSS的实用方法
/**
* @author 李光光(编码小王子)
* @date 2016年5月23日 下午5:24:39
* @version 1.0
*/
public class StringUtil {
/**
* 主要筛选过滤 script javascript alert
* */
public static String preventXss(String sourceStr){
if(StringUtils.isBlank(sourceStr)){
return sourceStr;
}
sourceStr = sourceStr.replaceAll("(?i)javascript", "javascri pt");
sourceStr = sourceStr.replaceAll("(?i)<script", "< scri pt");
sourceStr = sourceStr.replaceAll("(?i)</script", "< /scri pt");
sourceStr = sourceStr.replaceAll("(?i)alert", "aler t");
//HTML标签中需要过滤的字符
sourceStr = sourceStr.replaceAll("<", "<");
sourceStr = sourceStr.replaceAll(">", ">");
sourceStr = sourceStr.replaceAll("(?i)img", "im g");
sourceStr = sourceStr.replaceAll("(?i)applet", "appl et");
sourceStr = sourceStr.replaceAll("(?i)blink", "bli nk");
sourceStr = sourceStr.replaceAll("(?i)frameset", "fra mes et");
sourceStr = sourceStr.replaceAll("(?i)iframe", "ifra me");
sourceStr = sourceStr.replaceAll("(?i)object", "obje ct");
sourceStr = sourceStr.replaceAll("(?i)base", "ba se");
sourceStr = sourceStr.replaceAll("(?i)body", "bo dy");
sourceStr = sourceStr.replaceAll("(?i)head", "hea d");
sourceStr = sourceStr.replaceAll("(?i)layer", "lay er");
sourceStr = sourceStr.replaceAll("(?i)style", "styl e");
sourceStr = sourceStr.replaceAll("(?i)basefont", "basefo nt");
sourceStr = sourceStr.replaceAll("(?i)embed", "emb ed");
sourceStr = sourceStr.replaceAll("(?i)html", "htm l");
sourceStr = sourceStr.replaceAll("(?i)link", "lin k");
sourceStr = sourceStr.replaceAll("(?i)title", "tit le");
sourceStr = sourceStr.replaceAll("(?i)bgsound", "bgsou nd");
sourceStr = sourceStr.replaceAll("(?i)frame", "fra me");
sourceStr = sourceStr.replaceAll("(?i)ilayer", "ilay er");
sourceStr = sourceStr.replaceAll("(?i)meta", "me ta");
//HTML标签属性中需要过滤的字符
sourceStr = sourceStr.replaceAll("(?i)dynsrc", "dyns rc");
sourceStr = sourceStr.replaceAll("(?i)src", "sr c");
sourceStr = sourceStr.replaceAll("(?i)action", "acti on");
sourceStr = sourceStr.replaceAll("(?i)href", "hre f");
sourceStr = sourceStr.replaceAll("(?i)background", "backgrou nd");
sourceStr = sourceStr.replaceAll("(?i)lowsrc", "lowsr c");
sourceStr = sourceStr.replaceAll("(?i)value", "valu e");
sourceStr = sourceStr.replaceAll("(?i)onmouse", "onmou se");
//其他协议中可能用到的关键字需要过滤的字符
sourceStr = sourceStr.replaceAll("(?i)vbscript:", "vbscri pt:");
sourceStr = sourceStr.replaceAll("(?i)ms-its:", "ms-i ts:");
sourceStr = sourceStr.replaceAll("(?i)firefoxurl:", "firefoxu rl:");
sourceStr = sourceStr.replaceAll("(?i)javascript:", "javascri pt:");
sourceStr = sourceStr.replaceAll("(?i)mhtml:", "mht ml:");
sourceStr = sourceStr.replaceAll("(?i)mocha:", "moch a:");
sourceStr = sourceStr.replaceAll("(?i)data:", "dat a:");
sourceStr = sourceStr.replaceAll("(?i)livescript:", "livescri pt:");
return sourceStr;
}
}
可以使用下面的方式来调用
String clearData = StringUtil.preventXss(dirtyData);
下面是项目中经常用到的处理XSS的实用方法
/**
* @author 李光光(编码小王子)
* @date 2016年5月23日 下午5:24:39
* @version 1.0
*/
public class StringUtil {
/**
* 主要筛选过滤 script javascript alert
* */
public static String preventXss(String sourceStr){
if(StringUtils.isBlank(sourceStr)){
return sourceStr;
}
sourceStr = sourceStr.replaceAll("(?i)javascript", "javascri pt");
sourceStr = sourceStr.replaceAll("(?i)<script", "< scri pt");
sourceStr = sourceStr.replaceAll("(?i)</script", "< /scri pt");
sourceStr = sourceStr.replaceAll("(?i)alert", "aler t");
//HTML标签中需要过滤的字符
sourceStr = sourceStr.replaceAll("<", "<");
sourceStr = sourceStr.replaceAll(">", ">");
sourceStr = sourceStr.replaceAll("(?i)img", "im g");
sourceStr = sourceStr.replaceAll("(?i)applet", "appl et");
sourceStr = sourceStr.replaceAll("(?i)blink", "bli nk");
sourceStr = sourceStr.replaceAll("(?i)frameset", "fra mes et");
sourceStr = sourceStr.replaceAll("(?i)iframe", "ifra me");
sourceStr = sourceStr.replaceAll("(?i)object", "obje ct");
sourceStr = sourceStr.replaceAll("(?i)base", "ba se");
sourceStr = sourceStr.replaceAll("(?i)body", "bo dy");
sourceStr = sourceStr.replaceAll("(?i)head", "hea d");
sourceStr = sourceStr.replaceAll("(?i)layer", "lay er");
sourceStr = sourceStr.replaceAll("(?i)style", "styl e");
sourceStr = sourceStr.replaceAll("(?i)basefont", "basefo nt");
sourceStr = sourceStr.replaceAll("(?i)embed", "emb ed");
sourceStr = sourceStr.replaceAll("(?i)html", "htm l");
sourceStr = sourceStr.replaceAll("(?i)link", "lin k");
sourceStr = sourceStr.replaceAll("(?i)title", "tit le");
sourceStr = sourceStr.replaceAll("(?i)bgsound", "bgsou nd");
sourceStr = sourceStr.replaceAll("(?i)frame", "fra me");
sourceStr = sourceStr.replaceAll("(?i)ilayer", "ilay er");
sourceStr = sourceStr.replaceAll("(?i)meta", "me ta");
//HTML标签属性中需要过滤的字符
sourceStr = sourceStr.replaceAll("(?i)dynsrc", "dyns rc");
sourceStr = sourceStr.replaceAll("(?i)src", "sr c");
sourceStr = sourceStr.replaceAll("(?i)action", "acti on");
sourceStr = sourceStr.replaceAll("(?i)href", "hre f");
sourceStr = sourceStr.replaceAll("(?i)background", "backgrou nd");
sourceStr = sourceStr.replaceAll("(?i)lowsrc", "lowsr c");
sourceStr = sourceStr.replaceAll("(?i)value", "valu e");
sourceStr = sourceStr.replaceAll("(?i)onmouse", "onmou se");
//其他协议中可能用到的关键字需要过滤的字符
sourceStr = sourceStr.replaceAll("(?i)vbscript:", "vbscri pt:");
sourceStr = sourceStr.replaceAll("(?i)ms-its:", "ms-i ts:");
sourceStr = sourceStr.replaceAll("(?i)firefoxurl:", "firefoxu rl:");
sourceStr = sourceStr.replaceAll("(?i)javascript:", "javascri pt:");
sourceStr = sourceStr.replaceAll("(?i)mhtml:", "mht ml:");
sourceStr = sourceStr.replaceAll("(?i)mocha:", "moch a:");
sourceStr = sourceStr.replaceAll("(?i)data:", "dat a:");
sourceStr = sourceStr.replaceAll("(?i)livescript:", "livescri pt:");
return sourceStr;
}
}
可以使用下面的方式来调用
String clearData = StringUtil.preventXss(dirtyData);
相关文章推荐
- Java防止跨站脚本(XSS)注入攻击
- JavaWeb开发防止SQL、XSS注入
- JavaWeb开发防止SQL、XSS注入
- 实用:防止SQL、XSS等注入攻击的Filter
- java防止xss注入攻击
- 实用:防止SQL、XSS等注入攻击的Filter
- java防止xss脚本注入攻击,采用spring工具类方式
- Java防止跨站脚本(XSS)注入攻击
- Dagger——java和Android的高速依赖注入工具
- Thinking In Java学习笔记之文件读写实用工具
- Java命令行实用工具jps和jstat
- java防止脚本注入,通过拦截器实现
- Java基础--并发实用工具(3)
- java防止页面脚本注入 特殊字符过滤器
- 八个最实用的Java开发工具
- 防止SQL注入 设置过sql server 网络实用工具TCP/IP
- java 泛型深入之Set实用工具 各种集合泛型深入使用示例,匿名内部类、内部类应用于泛型探讨
- JAVA 创建文件和文件夹,删除文件和文件夹的实用工具
- springMVC通过Filter实现防止xss注入
- java 防止 XSS 攻击的常用方法总结