.There
are many concepts and solutions about xss on the Internet, you can refer to this:
http://www.cnblogs.com/TankXiao/archive/2012/03/21/2337194.html#xsshappen
Here we talk about our solutions in recent projects , mainly uses the org.apache.commons.lang3.StringEscapeUtils.escapeHtml4() method of the commons-lang3-3.1.jar package.
The solution process is mainly in two steps of user input and display output: escape special characters such as <>" ' & when inputting, and use jstl's fn:excapeXml("fff") method when outputting.
Among them, the filtering during input is Use a filter to implement, the
implementation process:
add a filter to web.xml
<filter>
<filter-name>XssEscape</filter-name>
<filter-class>cn.pconline.morden.filter.XssFilter</filter-class >
</filter>
<filter-mapping>
<filter-name>XssEscape</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
package cn.pconline.morden.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
}
@Override
public void destroy() {
}
}
package cn.pconline.morden.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringEscapeUtils;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getHeader(String name) {
return StringEscapeUtils.escapeHtml4(super.getHeader(name));
}
@Override
public String getQueryString() {
return StringEscapeUtils.escapeHtml4(super.getQueryString());
}
@Override
public String getParameter(String name) {
return StringEscapeUtils.escapeHtml4(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if(values != null) {
int length = values.length;
String[] escapseValues = new String[length];
for(int i = 0; i < length; i++){
escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);
}
return escapseValues;
}
return super.getParameterValues(name);
}
}
java defense xss attack
Guess you like
Origin http://10.200.1.11:23101/article/api/json?id=327091015&siteId=291194637
Recommended
Ranking