使用StringEscapeUtils防止XSS攻擊

1，commons-lang3-3.1.jar包中org.apache.commons.lang3.StringEscapeUtils

2，具體的實現過程：

第一步：

XssHttpServletRequestWrapper繼承servlet的HttpServletRequestWrapper

import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletRequestWrapper;  
  
import org.apache.commons.lang3.StringEscapeUtils; 

 /**
   @author zhangna
   @XssHttpServletRequestWrapper.java,  2018/11/16 下午2:24 zhangna 
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  
  
    public XssHttpServletRequestWrapper(HttpServletRequest request) {  
        super(request);  
    }  
  
    @Override  
    public String getHeader(String name) {  
        return StringEscapeUtils.escapeHtml4(super.getHeader(name));  
    }  
  
    @Override  
    public String getQueryString() {  
        return StringEscapeUtils.escapeHtml4(super.getQueryString());  
    }  
  
    @Override  
    public String getParameter(String name) {  
        return StringEscapeUtils.escapeHtml4(super.getParameter(name));  
    }  
     @Override  
    public String[] getParameterValues(String name) {  
        String[] values = super.getParameterValues(name);  
        if(values != null) {  
            int length = values.length;  
            String[] escapseValues = new String[length];  
            for(int i = 0; i < length; i++){  
                escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);  
            }  
            return escapseValues;  
        }  
        return super.getParameterValues(name);  
    }        
  }

第二步：

XssFilter 的實現方式是實現servlet的Filter接口

import java.io.IOException;  
  
import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletRequest;  
  
/**
   @author zhangna
   @XssFilter.java,  2018/11/16 下午2:24 zhangna 
*/
public class XssFilter implements Filter {  
  
    @Override  
    public void init(FilterConfig filterConfig) throws ServletException {  
    }  
  
    @Override  
    public void doFilter(ServletRequest request, ServletResponse response,  
            FilterChain chain) throws IOException, ServletException {  
        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);  
    }  
  
    @Override  
    public void destroy() {  
    }  
 }

第三步:

在web.xml加一個filter

    <filter>  
        <filter-name>XssEscape</filter-name>  
        <filter-class>cn.pconline.morden.filter.XssFilter</filter-class>  
    </filter>  
    <filter-mapping>  
        <filter-name>XssEscape</filter-name>  
        <url-pattern>/*</url-pattern>  
        <dispatcher>REQUEST</dispatcher>  
    </filter-mapping>

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

使用StringEscapeUtils防止XSS攻擊

中外程序員到底有啥區別？

Nginx R31 doc-13-Limiting Access to Proxied HTTP Resources 訪問限流

Python數據分析與挖掘實戰（5章）

python包：pandas

一、什麼是Docker

二、Docker 組件

揹包九講一 01揹包

今天！通義靈碼在北京、成都、杭州三城開講啦

【BI 可視化插件】怎麼做？手把手教你實現

java連接 Apache Druid 實踐

LocalDate--不可變的並且是線程安全的

使用java的HTML解析器 jsoup來防止XSS攻擊

ssm中Dubbo實踐

Java分佈式定時任務--Elastic-job實踐

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結