实例如下:
XSSFilter.java
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
public void doFilter(ServletRequest servletrequest, ServletResponse servletresponse, FilterChain filterchain) throws IOException, ServletException { //flag = true 只做URL验证; flag = false 做所有字段的验证; boolean flag = true; if(flag){ //只对URL做xss校验 HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest; HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse; String requesturi = httpServletRequest.getRequestURL().toString(); requesturi = URLDecoder.decode(requesturi, "UTF-8"); if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return; } if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return; } if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return ; } if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return ; } RequestWrapper rw = new RequestWrapper(httpServletRequest); String param = httpServletRequest.getQueryString(); if(!"".equals(param) && param != null) { param = URLDecoder.decode(param, "UTF-8"); String originalurl = requesturi + param; String sqlParam = param; //添加sql注入的判断 if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){ sqlParam = rw.cleanSQLInject(param); } String xssParam = rw.cleanXSS(sqlParam); requesturi += "?"+xssParam; if(!xssParam.equals(param)){ System.out.println("requesturi::::::"+requesturi); httpServletResponse.sendRedirect(requesturi); System.out.println("no entered.");// filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse); return ; } } filterchain.doFilter(servletrequest, servletresponse); }else{ //对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。 filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse); } }requestMapping: public RequestWrapper(){ super(null); } public RequestWrapper(HttpServletRequest httpservletrequest) { super(httpservletrequest); } public String[] getParameterValues(String s) { String str[] = super.getParameterValues(s); if (str == null) { return null; } int i = str.length; String as1[] = new String[i]; for (int j = 0; j < i; j++) { as1[j] = cleanXSS(cleanSQLInject(str[j])); } return as1; } public String getParameter(String s) { String s1 = super.getParameter(s); if (s1 == null) { return null; } else { return cleanXSS(cleanSQLInject(s1)); } } public String getHeader(String s) { String s1 = super.getHeader(s); if (s1 == null) { return null; } else { return cleanXSS(cleanSQLInject(s1)); } } public String cleanXSS(String src) { String temp =src; System.out.println("xss---temp-->"+src); src = src.replaceAll("<", "<").replaceAll(">", ">"); // if (src.indexOf("address")==-1) // { src = src.replaceAll("\\(", "(").replaceAll("\\)", ")"); //} src = src.replaceAll("'", "'"); Pattern pattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE); Matcher matcher=pattern.matcher(src); src = matcher.replaceAll(""); pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE); matcher=pattern.matcher(src); src = matcher.replaceAll("\"\""); //增加脚本 src = src.replaceAll("script", "").replaceAll(";", "") .replaceAll("\"", "").replaceAll("@", "") .replaceAll("0x0d", "") .replaceAll("0x0a", "").replaceAll(",", ""); if(!temp.equals(src)){ System.out.println("输入信息存在xss攻击!"); System.out.println("原始输入信息-->"+temp); System.out.println("处理后信息-->"+src); } return src; } //需要增加通配,过滤大小写组合 public String cleanSQLInject(String src) { String temp =src; src = src.replaceAll("insert", "forbidI") .replaceAll("select", "forbidS") .replaceAll("update", "forbidU") .replaceAll("delete", "forbidD") .replaceAll("and", "forbidA") .replaceAll("or", "forbidO"); if(!temp.equals(src)){ System.out.println("输入信息存在SQL攻击!"); System.out.println("原始输入信息-->"+temp); System.out.println("处理后信息-->"+src); } return src; } |
xml配置:
|
1
2
3
4
5
6
7
8
9
10
11
12
|
<filter> <filter-name>XssFilter</filter-name> <filter-class>cn.com.jsoft.xss.XSSFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> |
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!
关于这篇java 过滤器filter防sql注入的实现代码就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持服务器之家。
