(一)防攻击工具类
package cn.zcy.gov.util;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class PatternUtils {
private final static Pattern TRN_PATTERN = Pattern.compile("\\s*|\t|\r|\n");
private final static Pattern SCRIPT_PATTERN = Pattern.compile("<[\\s]*?script[^>]*?>[\\s\\S]*?<[\\s]*?\\/[\\s]*?script[\\s]*?>", Pattern.CASE_INSENSITIVE);
private final static Pattern STYLE_PATTERN = Pattern.compile("<[\\s]*?style[^>]*?>[\\s\\S]*?<[\\s]*?\\/[\\s]*?style[\\s]*?>", Pattern.CASE_INSENSITIVE);
private final static Pattern HTML_PATTERN1 = Pattern.compile("<[^>]+>", Pattern.CASE_INSENSITIVE);
private final static Pattern HTML_PATTERN2 = Pattern.compile("<[^>]+", Pattern.CASE_INSENSITIVE);
private final static Pattern SRC_PATTERN1 = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
private final static Pattern SRC_PATTERN2 = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
private final static Pattern EVAL_PATTERN = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
private final static Pattern EXPRESSION_PATTERN = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
private final static Pattern JAVASCRIPT_PATTERN = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
private final static Pattern VBSCRIPT_PATTERN = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
private final static Pattern ONLOAD_PATTERN = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
public static Boolean canXSS(String value) {
if (value != null) {
//推荐使用ESAPI库来避免脚本攻击,value = ESAPI.encoder().canonicalize(value);
//避免空字符串
value = value.replaceAll(" ", "");
// 避免script 标签
if (SCRIPT_PATTERN.matcher(value).find()) {
return true;
}
// 避免src形式的表达式
if (SRC_PATTERN1.matcher(value).find()) {
return true;
}
if (SRC_PATTERN2.matcher(value).find()) {
return true;
}
// 避免 eval(...) 形式表达式
if (EVAL_PATTERN.matcher(value).find()) {
return true;
}
// 避免 expression(...) 表达式
if (EXPRESSION_PATTERN.matcher(value).find()) {
return true;
}
// 避免 javascript: 表达式
if (JAVASCRIPT_PATTERN.matcher(value).find()) {
return true;
}
// 避免 vbscript:表达式
if (VBSCRIPT_PATTERN.matcher(value).find()) {
return true;
}
// 避免 onload= 表达式
if (ONLOAD_PATTERN.matcher(value).find()) {
return true;
}
}
return false;
}
public static String delHtmlTag(String inputString) {
String htmlStr = inputString;
//过滤script标签
Matcher mScript = SCRIPT_PATTERN.matcher(htmlStr);
htmlStr = mScript.replaceAll("");
//过滤style标签
Matcher mStyle = STYLE_PATTERN.matcher(htmlStr);
htmlStr = mStyle.replaceAll("");
//过滤html标签
Matcher mHtml = HTML_PATTERN1.matcher(htmlStr);
htmlStr = mHtml.replaceAll("");
Matcher mHtml1 = HTML_PATTERN2.matcher(htmlStr);
htmlStr = mHtml1.replaceAll("");
Matcher m = TRN_PATTERN.matcher(htmlStr);
htmlStr = m.replaceAll("");
return htmlStr;
}
}
(二)工具类的调用
@RequestMapping(value = "/letter/create")
@ResponseBody
public Boolean createLetter(@Valid PublicLetterDto publicLetterDto, BindingResult bindingResult,
@RequestParam(value = "attachments", required = false) MultipartFile[] attachments,
HttpServletRequest request) {
SysSite sysSite = SystemInitData.getSite(RequestUtils.analyzeDomain());
if (bindingResult.hasErrors()) {
throw new JsonResponseException(bindingResult.getAllErrors().get(0).getDefaultMessage());
}
if (PatternUtils.canXSS(publicLetterDto.getName())) {
throw new JsonResponseException("name.is.valid");
}
//==========================上海【starat】
//判断是否为上海网站
if (sysSite.getId() == 77) {
//短信验证码
if (!publicLetterDto.getCaptcha().equals("手机发的短信验证码".trim())) {
throw new JsonResponseException("captcha.is.valid");
}
if (!IdCardUtils.isIDNumber(publicLetterDto.getIdCardNum())) {
throw new JsonResponseException("idCardNum.is.valid");
}
if (PatternUtils.canXSS(publicLetterDto.getAddress())) {
throw new JsonResponseException("address.is.valid");
}
if (!publicLetterDto.getEmail().matches(EMAILPATTERN)) {
throw new JsonResponseException("email.is.not.right");
}
}