在用java进行web业务开发的时候,对于页面上接收到的参数,除了极少数是步可预知的内容外,大量的参数名和参数值都是不会出现触发Xss漏洞的字符。而通常为了避免Xss漏洞,都是开发人员各自在页面输出和数据入库等地方加上各种各样的encode方法来避免Xss问题。而由于开发人员的水平不一,加上在编写代码的过程中安全意识的差异,可能会粗心漏掉对用户输入内容进行encode处理。针对这种大量参数是不可能出现引起Xss和SQL注入漏洞的业务场景下,因此可以使用一个适用大多数业务场景的通用处理方法,牺牲少量用户体验,来避免Xss漏洞和SQL注入。
那就是利用Servlet的过滤器机制,编写定制的XssFilter,将request请求代理,覆盖getParameter和getHeader方法将参数名和参数值里的指定半角字符,强制替换成全角字符。使得在业务层的处理时不用担心会有异常输入内容。
XssFilter.java
- package filter;
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- public class XssFilter implements Filter {
- public void init(FilterConfig config) throws ServletException {
- }
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException
- {
- XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
- (HttpServletRequest) request);
- chain.doFilter(xssRequest, response);
- }
- public void destroy() {
- }
- }
XssHttpServletRequestWrapper.java
- package filter;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletRequestWrapper;
- public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
- HttpServletRequest orgRequest = null;
- public XssHttpServletRequestWrapper(HttpServletRequest request) {
- super(request);
- orgRequest = request;
- }
- /**
- * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
- * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
- * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
- */
- @Override
- public String getParameter(String name) {
- String value = super.getParameter(xssEncode(name));
- if (value != null) {
- value = xssEncode(value);
- }
- return value;
- }
- /**
- * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
- * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
- * getHeaderNames 也可能需要覆盖
- */
- @Override
- public String getHeader(String name) {
- String value = super.getHeader(xssEncode(name));
- if (value != null) {
- value = xssEncode(value);
- }
- return value;
- }
- /**
- * 将容易引起xss漏洞的半角字符直接替换成全角字符
- *
- * @param s
- * @return
- */
- private static String xssEncode(String s) {
- if (s == null || s.isEmpty()) {
- return s;
- }
- StringBuilder sb = new StringBuilder(s.length() + 16);
- for (int i = 0; i < s.length(); i++) {
- char c = s.charAt(i);
- switch (c) {
- case '>':
- sb.append('>');//全角大于号
- break;
- case '<':
- sb.append('<');//全角小于号
- break;
- case '\'':
- sb.append('‘');//全角单引号
- break;
- case '\"':
- sb.append('“');//全角双引号
- break;
- case '&':
- sb.append('&');//全角
- break;
- case '\\':
- sb.append('\');//全角斜线
- break;
- case '#':
- sb.append('#');//全角井号
- break;
- default:
- sb.append(c);
- break;
- }
- }
- return sb.toString();
- }
- /**
- * 获取最原始的request
- *
- * @return
- */
- public HttpServletRequest getOrgRequest() {
- return orgRequest;
- }
- /**
- * 获取最原始的request的静态方法
- *
- * @return
- */
- public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
- if(req instanceof XssHttpServletRequestWrapper){
- return ((XssHttpServletRequestWrapper)req).getOrgRequest();
- }
- return req;
- }
- }
在web.xml中添加
- <filter>
- <filter-name>xssFilter</filter-name>
- <filter-class>filter.XssFilter</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>xssFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>