一、maven、antisamy介紹以及XSS:
antisamy是owasp的開源項目,它用來確保用戶輸入的HTML/CSS符合應用規範的API,可以有效防止xss攻擊。它提供了用於驗證用戶輸入的富文本以防禦跨站腳本的API,適用於java編寫的web項目。它提供了一些標準策略文件,根據自己產品的實際需求,在此基礎上配置一份適合自己產品的策略文件。
具體參考
http://anquan.163.com/module/pedia/article-00016.html
二、所需的相關文件:
三、antisamy在eclipse的配置
注意Tomcat應用服務器的安裝。具體詳見 http://jingyan.baidu.com/article/3065b3b6efa9d7becff8a4c6.html
、
轉換爲maven項目後發現在Libraries下爲發現maven的下拉菜單,如下圖所示:
解決方法:
修改pom.xml中的代碼,即增加以下代碼:
- <dependencies>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <version>1.2.12</version>
- </dependency>
- <dependency>
- <groupId>org.owasp.antisamy</groupId>
- <artifactId>antisamy</artifactId>
- <version>1.5.3</version>
- </dependency>
- lt;/dependencies>
整體截圖:
pom.xml代碼:
- <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>webTest</groupId>
- <artifactId>webTest</artifactId>
- <version>0.0.1-SNAPSHOT</version>
- <packaging>war</packaging>
- <build>
- <sourceDirectory>src</sourceDirectory>
- <resources>
- <resource>
- <directory>src</directory>
- <excludes>
- <exclude>**/*.java</exclude>
- </excludes>
- </resource>
- </resources>
- <plugins>
- <plugin>
- <artifactId>maven-compiler-plugin</artifactId>
- <version>3.3</version>
- <configuration>
- <source>1.8</source>
- <target>1.8</target>
- </configuration>
- </plugin>
- <plugin>
- <artifactId>maven-war-plugin</artifactId>
- <version>2.6</version>
- <configuration>
- <warSourceDirectory>WebContent</warSourceDirectory>
- <failOnMissingWebXml>false</failOnMissingWebXml>
- </configuration>
- </plugin>
- </plugins>
- </build>
- <dependencies>
- <dependency>
- <groupId>log4j</groupId>
- <artifactId>log4j</artifactId>
- <version>1.2.12</version>
- </dependency>
- <dependency>
- <groupId>org.owasp.antisamy</groupId>
- <artifactId>antisamy</artifactId>
- <version>1.5.3</version>
- </dependency>
- </dependencies>
- </project>
增加了以下代碼:
四、tomcat安裝
這裏依賴於【eclipse創建javaweb項目的環境配置】
具體參見http://blog.csdn.net/redarmy_chen/article/details/7048317
也可以參照以下鏈接安裝和部署:
http://jingyan.baidu.com/article/3065b3b6efa9d7becff8a4c6.html
需要注意的是在添加目錄時要採用英文名。
五、代碼
XssFilter.java代碼如下:(注意代碼的包的)
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- public class XssFilter implements Filter {
- @SuppressWarnings("unused")
- private FilterConfig filterConfig;
- public void destroy() {
- this.filterConfig = null;
- }
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);
- }
- public void init(FilterConfig filterConfig) throws ServletException {
- this.filterConfig = filterConfig;
- }
- }
相關代碼的註釋可以參見:
http://blog.csdn.net/goskalrie/article/details/51350736
RequestWrapper.java代碼:
- import java.util.Iterator;
- import java.util.Map;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletRequestWrapper;
- import org.owasp.validator.html.AntiSamy;
- import org.owasp.validator.html.CleanResults;
- import org.owasp.validator.html.Policy;
- import org.owasp.validator.html.PolicyException;
- import org.owasp.validator.html.ScanException;
- public class RequestWrapper extends HttpServletRequestWrapper {
- public RequestWrapper(HttpServletRequest request) {
- super(request);
- }
- @SuppressWarnings({ "rawtypes", "unchecked" })
- public Map<String,String[]> getParameterMap(){
- Map<String,String[]> request_map = super.getParameterMap();
- Iterator iterator = request_map.entrySet().iterator();
- while(iterator.hasNext()){
- Map.Entry me = (Map.Entry)iterator.next();
- //System.out.println(me.getKey()+":");
- String[] values = (String[])me.getValue();
- for(int i = 0 ; i < values.length ; i++){
- System.out.println(values[i]);
- values[i] = xssClean(values[i]);
- }
- }
- return request_map;
- }
- @SuppressWarnings({ "rawtypes", "unchecked" })
- public String getParameter(String name) {
- String v=super.getParameter(name);
- if(v==null)
- return null;
- return xssClean(v);
- }
- @SuppressWarnings({ "rawtypes", "unchecked" })
- public String[] getParameterValues(String name) {
- String[] v=super.getParameterValues(name);
- if(v==null || v.length==0)
- return v;
- for(int i=0;i<v.length;i++){
- v[i]=xssClean(v[i]);
- }
- return v;
- }
- private String xssClean(String value) {
- AntiSamy antiSamy = new AntiSamy();
- try {
- Policy policy = Policy.getInstance("/antisamy-slashdot.xml");
- //CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath);
- final CleanResults cr = antiSamy.scan(value, policy);
- //瀹夊叏鐨凥TML杈撳嚭
- System.out.println("clean:"+cr.getCleanHTML());
- return cr.getCleanHTML();
- } catch (ScanException e) {
- e.printStackTrace();
- } catch (PolicyException e) {
- e.printStackTrace();
- }
- return value;
- }
- }
web.xml代碼:
- <?xml version="1.0" encoding="UTF-8"?>
- <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns="http://java.sun.com/xml/ns/javaee"
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
- id="WebApp_ID" version="2.5">
- <display-name>sdl</display-name>
- <!-- XSS -->
- <filter>
- <filter-name>XSS</filter-name>
- <filter-class>XssFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>XSS</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <welcome-file-list>
- <welcome-file>index.html</welcome-file>
- <welcome-file>index.htm</welcome-file>
- <welcome-file>index.jsp</welcome-file>
- <welcome-file>default.html</welcome-file>
- <welcome-file>default.htm</welcome-file>
- <welcome-file>default.jsp</welcome-file>
- </welcome-file-list>
- </web-app>
六、驗證
htmlTest.html代碼
- <!DOCTYPE html>
- <html>
- <head>
- <meta charset="UTF-8">
- <title>Insert title here</title>
- </head>
- <body>
- <form action="main.jsp" method="POST">
- First Name: <input type="text" name="first_name">
- <br />
- Last Name: <input type="text" name="last_name" />
- <input type="submit" value="Submit" />
- </form>
- </body>
- </html>
如下所示:
main.jsp代碼:
- <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
- pageEncoding="ISO-8859-1"%>
- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <title>Insert title here</title>
- </head>
- <body>
- <center>
- <h1>Using GET Method to Read Form Data</h1>
- <ul>
- <li><p><b>First Name:</b>
- <%= request.getParameter("first_name")%>
- </p></li>
- <li><p><b>Last Name:</b>
- <%= request.getParameter("last_name")%>
- </p></li>
- </ul>
- </body>
- </html>
如下所示: