java修复xss漏洞
JAVA修复XSS漏洞
方案一:
对于请求中是封装好的对象或者以属性名作为参数的都适用以下解决方案:
封装好的对象,如:
在这里插入图片描述
使用属性名作为参数,如:
在这里插入图片描述
以/updateRole和/addRole作为例子,这两个方法中都需要对前台输入的参数进行过滤。
1.添加过滤器
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
public class XSSAttackInterceptor implements Filter {
private static final long serialVersionUID = 7427725804042693717L;
private Logger logger = Logger.getLogger(XSSAttackInterceptor.class);
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
filterChain.doFilter(xssRequest, response);
}
@Override
public void destroy() {
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
return cleanXSS(value);
}
public String getQueryString() {
String value = super.getQueryString();
if (value == null) {
return null;
}
return cleanXSS(value);
}
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null)
return null;
return cleanXSS(value);
}
private String cleanXSS(String value) {
if (value != null) {
//删除script标签
Pattern compile = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
// 删除单个的 </script> 标签
compile = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = compile.matcher(value).replaceAll("");
// 删除单个的<script ...> 标签
compile = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
// 避免 eval(...) 形式表达式
compile = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
// 避免 expression(...) 表达式
compile = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
// 避免 javascript: 表达式
compile = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = compile.matcher(value).replaceAll("");
// 避免 vbscript:表达式
compile = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = compile.matcher(value).replaceAll("");
value = cleanEventAttact(value);
//替换特殊标签
value = value.replaceAll("<", "<").replaceAll(">", ">");
}
return value;
}
/**
* 屏蔽页面注入的所有html事件攻击
*
* @param value
* @return
*/
public String cleanEventAttact(String value) {
//避免οnclick= 表达式
Pattern compile = Pattern.compile("onafterprint(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onbeforeprint(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onbeforeunload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onerror(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onhaschange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmessage(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onoffline(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ononline(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onpagehide(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onpageshow(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onpopstate(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onredo(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onresize(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onstorage(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onundo(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onunload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onblur(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onchange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("oncontextmenu(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onfocus(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onformchange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onforminput(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("oninput(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("oninvalid(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onreset(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onselect(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onsubmit(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onkeydown(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onkeypress(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onkeyup(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onclick(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondblclick(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondrag(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragend(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragenter(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragleave(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragstart(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondrop(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmousedown(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmousemove(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmouseout(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmouseover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmouseenter(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmouseup(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmousewheel(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onscroll(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
value = value.replace("document", "");//页面屏蔽document字样
value = value.replace("alert", "");//页面屏蔽alert字样
return value;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
2.添加配置
修改web.xml,添加过滤器配置:
<filter>
<filter-name>XSSAttackInterceptor</filter-name>
<filter-class>com.xxjf.filter.XSSAttackInterceptor</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSAttackInterceptor</filter-name>
<url-pattern>/addRole</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>XSSAttackInterceptor</filter-name>
<url-pattern>/updateRole</url-pattern>
</filter-mapping>
1
2
3
4
5
6
7
8
9
10
11
12
方案二:
对于其他并不能直接获取到参数类型的情况,如下:
在这里插入图片描述
对于该情况,只能从请求中获取参数一个一个的去判断过滤,此时只能使用工具类。
1.工具类
import java.util.regex.Pattern;
public class XSSFilterUtils {
public static String cleanXSS(String value) {
if (value != null) {
//删除script标签
Pattern compile = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
// 删除单个的 </script> 标签
compile = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = compile.matcher(value).replaceAll("");
// 删除单个的<script ...> 标签
compile = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
// 避免 eval(...) 形式表达式
compile = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
// 避免 expression(...) 表达式
compile = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
// 避免 javascript: 表达式
compile = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = compile.matcher(value).replaceAll("");
// 避免 vbscript:表达式
compile = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = compile.matcher(value).replaceAll("");
value = cleanEventAttact(value);
//替换特殊标签
value = value.replaceAll("<", "<").replaceAll(">", ">");
}
return value;
}
/**
* 屏蔽页面注入的所有html事件攻击
*
* @param value
* @return
*/
public static String cleanEventAttact(String value) {
//避免οnclick= 表达式
Pattern compile = Pattern.compile("onafterprint(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onbeforeprint(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onbeforeunload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onerror(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onhaschange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmessage(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onoffline(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ononline(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onpagehide(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onpageshow(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onpopstate(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onredo(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onresize(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onstorage(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onundo(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onunload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onblur(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onchange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("oncontextmenu(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onfocus(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onformchange(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onforminput(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("oninput(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("oninvalid(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onreset(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onselect(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onsubmit(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onkeydown(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onkeypress(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onkeyup(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onclick(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondblclick(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondrag(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragend(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragenter(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragleave(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondragstart(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("ondrop(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmousedown(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmousemove(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmouseout(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmouseover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmouseenter(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmouseup(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onmousewheel(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
compile = Pattern.compile("onscroll(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = compile.matcher(value).replaceAll("");
value = value.replace("document", "");//页面屏蔽document字样
value = value.replace("alert", "");//页面屏蔽alert字样
return value;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
2.使用工具类
对于需要过滤的参数进行判断然后使用工具类。
MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
MultipartFile newsImage = multipartRequest.getFile("newsImage");
Map<String,Object> map = new HashMap<String,Object>();
String newsTitle = request.getParameter("newsTitle");
String newsTheme = request.getParameter("newsTheme");
News news = new News();
if(newsTitle != null && !"".equals(newsTitle)) {
news.setNewsTitle(XSSFilterUtils.cleanXSS(newsTitle));
}
if(newsTheme != null && !"".equals(newsTheme)) {
news.setNewsTheme(XSSFilterUtils.cleanXSS(newsTheme));
}
————————————————
版权声明:本文为CSDN博主「婉哥」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_43876557/article/details/107658763
原文地址:https://www.cnblogs.com/tiancai/p/15010463.html
- 振幅和成交量的关系
- silverlight中的几个冷门标记 {x:Null},d:DesignWidth,d:DesignHeight
- 用scikit-learn和pandas学习线性回归
- 自动驾驶玩出新花招,以后老司机们就要失业了
- silverlight.net官方网站图片切换源码
- 制作iis自动安装包
- 安装程序无法复制一个或多个文件。特定错误码是0x4b8。
- silverlight中"制作逐帧动画"/"播放gif"收集
- Android新手之旅(1) 开发环境的安装
- Python安装模块
- 数据绑定应当注意的一个白痴问题
- 外媒称NVIDIA新架构Volta专为AI而生,对图形性能并无帮助
- 将自动通知窗体集成到类中
- ASP.NET调用word开发环境下正常,iis下报错
- java教程
- Java快速入门
- Java 开发环境配置
- Java基本语法
- Java 对象和类
- Java 基本数据类型
- Java 变量类型
- Java 修饰符
- Java 运算符
- Java 循环结构
- Java 分支结构
- Java Number类
- Java Character类
- Java String类
- Java StringBuffer和StringBuilder类
- Java 数组
- Java 日期时间
- Java 正则表达式
- Java 方法
- Java 流(Stream)、文件(File)和IO
- Java 异常处理
- Java 继承
- Java 重写(Override)与重载(Overload)
- Java 多态
- Java 抽象类
- Java 封装
- Java 接口
- Java 包(package)
- Java 数据结构
- Java 集合框架
- Java 泛型
- Java 序列化
- Java 网络编程
- Java 发送邮件
- Java 多线程编程
- Java Applet基础
- Java 文档注释
- 使用docker 搭建redis的哨兵机制
- 使用docker 搭建redis的主从复制
- 使用Python判断文件下是否有空文件夹
- MySQL 设置用户可以远程连接
- MySQL关于character_set 设置为uft8问题
- nohup 退出终端不退出任务
- windows 下Redis开机自启动
- 机器学习基础:决策树的可视化
- 持续部署入门:基于 Kubernetes 实现蓝绿发布
- PHP 实现Redis发布订阅消息及时通讯
- 简单几步,用云开发搞定短信验证码登录
- 重要的进程就让Supervisor 来守护吧!
- 机器学习基础:令你事半功倍的pipeline处理机制
- django 中如何将字典变量传给template视图层的JS
- Spring第三天:Spring的AOP的注解开发、Spring的声明式事务、JdbcTemplate