• XSS过滤JAVA过滤器filter 防止常见SQL注入


    Java项目中XSS过滤器的使用方法。

    简单介绍:

    XSS : 跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意html代码,当用户浏览该页之时,嵌入其中Web里面的html代码会被执行,从而达到恶意攻击用户的特殊目的。

    sql注入
    所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。具体来说,它是利用现有应用程序,将(恶意)的SQL命令注入到后台数据库引擎执行的能力,它可以通过在Web表单中输入(恶意)SQL语句得到一个存在安全漏洞的网站上的数据库,而不是按照设计者意图去执行SQL语句。

    实现方式,共三步:

    第一步:配置web.xml

    <filter>
        <filter-name>xssFilter</filter-name>
        <filter-class>com.wfcm.xss.XssFilter</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>xssFilter</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>

    第二步:过滤工具类

    1.XSSFilter.java

    package com.wfcm.xss;
    
    import javax.servlet.*;
    import javax.servlet.http.HttpServletRequest;
    import java.io.IOException;
    
    
    /**
     * xss过滤
     * @author xlf
     * @email xlfbe696@gmail.com
     * @date 2017年4月19日 上午10:41:42
     */
    public class XssFilter implements Filter {
    
        @Override
        public void init(FilterConfig config) throws ServletException {
        }
    
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
                throws IOException, ServletException {
            
            
            XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
                    (HttpServletRequest) request);
            chain.doFilter(xssRequest, response);
        }
    
        @Override
        public void destroy() {
        }
    
    }
    View Code

    2.XssHttpServletRequestWrapper

    package com.wfcm.xss;
    
    import org.apache.commons.lang.StringEscapeUtils;
    import org.apache.commons.lang.StringUtils;
    
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletRequestWrapper;
    import java.util.LinkedHashMap;
    import java.util.Map;
    
    public class XssHttpServletRequestWrapper  extends HttpServletRequestWrapper {
    
        // 没被包装过的HttpServletRequest(特殊场景,需求自己过滤)
            HttpServletRequest orgRequest;
            // html过滤
            private final static HTMLFilter htmlFilter = new HTMLFilter();
    
            public XssHttpServletRequestWrapper(HttpServletRequest request) {
                super(request);
                orgRequest = request;
            }
    
            @Override
            public String getParameter(String name) {
                String value = super.getParameter(xssEncode(name));
                if (StringUtils.isNotBlank(value)) {
                    value =xssEncode(value);
                }
    
                //SQL注入检查
    //            value = SQLFilter.sqlInject(value);
                value = SQLFilter.sqlInject(value);
    
                return StringEscapeUtils.unescapeHtml(value);
            }
    
            @Override
            public String[] getParameterValues(String name) {
                String[] parameters = super.getParameterValues(name);
                if (parameters == null || parameters.length == 0) {
                    return null;
                }
    
                for (int i = 0; i < parameters.length; i++) {
                    parameters[i] = xssEncode(parameters[i]);
                    //SQL注入检查
    //                parameters[i] = SQLFilter.sqlInject(parameters[i]);
                    parameters[i] = SQLFilter.sqlInject(parameters[i]);
                    parameters[i] = StringEscapeUtils.unescapeHtml(parameters[i]);
                }
                return parameters;
            }
    
            @Override
            public Map<String, String[]> getParameterMap() {
                Map<String, String[]> map = new LinkedHashMap<>();
                Map<String, String[]> parameters = super.getParameterMap();
                for (String key : parameters.keySet()) {
                    String[] values = parameters.get(key);
                    for (int i = 0; i < values.length; i++) {
                        values[i] = xssEncode(values[i]);
                        //SQL注入检查
    //                    values[i] = SQLFilter.sqlInject(values[i]);
                        values[i] = SQLFilter.sqlInject(values[i]);
                        values[i] = StringEscapeUtils.unescapeHtml(values[i]);
                    }
                    map.put(key, values);
                }
                return map;
            }
    
            @Override
            public String getHeader(String name) {
                String value = super.getHeader(xssEncode(name));
                if (StringUtils.isNotBlank(value)) {
                    value = xssEncode(value);
                }
                
                //SQL注入检查
    //                    value = SQLFilter.sqlInject(value);
                value = SQLFilter.sqlInject(value);
                return StringEscapeUtils.unescapeHtml(value);
            }
    
            private String xssEncode(String input) {
                return htmlFilter.filter(input);
            }
    
            /**
             * 获取最原始的request
             */
            public HttpServletRequest getOrgRequest() {
                return orgRequest;
            }
    
            /**
             * 获取最原始的request
             */
            public static HttpServletRequest getOrgRequest(HttpServletRequest request) {
                if (request instanceof XssHttpServletRequestWrapper) {
                    return ((XssHttpServletRequestWrapper) request).getOrgRequest();
                }
    
                return request;
            }
    
    }
    View Code

    3.HTMLFilter

    package com.wfcm.xss;
    
    import java.util.ArrayList;
    import java.util.Collections;
    import java.util.HashMap;
    import java.util.List;
    import java.util.Map;
    import java.util.concurrent.ConcurrentHashMap;
    import java.util.concurrent.ConcurrentMap;
    import java.util.logging.Logger;
    import java.util.regex.Matcher;
    import java.util.regex.Pattern;
    /**
    *
    * HTML filtering utility for protecting against XSS (Cross Site Scripting).
    *
    * This code is licensed LGPLv3
    *
    * This code is a Java port of the original work in PHP by Cal Hendersen.
    * http://code.iamcal.com/php/lib_filter/
    *
    * The trickiest part of the translation was handling the differences in regex handling
    * between PHP and Java.  These resources were helpful in the process:
    *
    * http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
    * http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
    * http://www.regular-expressions.info/modifiers.html
    *
    * A note on naming conventions: instance variables are prefixed with a "v"; global
    * constants are in all caps.
    *
    * Sample use:
    * String input = ...
    * String clean = new HTMLFilter().filter( input );
    *
    * The class is not thread safe. Create a new instance if in doubt.
    *
    * If you find bugs or have suggestions on improvement (especially regarding
    * performance), please contact us.  The latest version of this
    * source, and our contact details, can be found at http://xss-html-filter.sf.net
    *
    * @author Joseph O'Connell
    * @author Cal Hendersen
    * @author Michael Semb Wever
    */
    public class HTMLFilter {
    
        /** regex flag union representing /si modifiers in php **/
        private static final int REGEX_FLAGS_SI = Pattern.CASE_INSENSITIVE | Pattern.DOTALL;
        private static final Pattern P_COMMENTS = Pattern.compile("<!--(.*?)-->", Pattern.DOTALL);
        private static final Pattern P_COMMENT = Pattern.compile("^!--(.*)--$", REGEX_FLAGS_SI);
        private static final Pattern P_TAGS = Pattern.compile("<(.*?)>", Pattern.DOTALL);
        private static final Pattern P_END_TAG = Pattern.compile("^/([a-z0-9]+)", REGEX_FLAGS_SI);
        private static final Pattern P_START_TAG = Pattern.compile("^([a-z0-9]+)(.*?)(/?)$", REGEX_FLAGS_SI);
        private static final Pattern P_QUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)=(["'])(.*?)\2", REGEX_FLAGS_SI);
        private static final Pattern P_UNQUOTED_ATTRIBUTES = Pattern.compile("([a-z0-9]+)(=)([^"\s']+)", REGEX_FLAGS_SI);
        private static final Pattern P_PROTOCOL = Pattern.compile("^([^:]+):", REGEX_FLAGS_SI);
        private static final Pattern P_ENTITY = Pattern.compile("&#(\d+);?");
        private static final Pattern P_ENTITY_UNICODE = Pattern.compile("&#x([0-9a-f]+);?");
        private static final Pattern P_ENCODE = Pattern.compile("%([0-9a-f]{2});?");
        private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
        private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
        private static final Pattern P_END_ARROW = Pattern.compile("^>");
        private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
        private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
        private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
        private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
        private static final Pattern P_AMP = Pattern.compile("&");
        private static final Pattern P_QUOTE = Pattern.compile(""");
        private static final Pattern P_LEFT_ARROW = Pattern.compile("<");
        private static final Pattern P_RIGHT_ARROW = Pattern.compile(">");
        private static final Pattern P_BOTH_ARROWS = Pattern.compile("<>");
        private static final Pattern P_DOUBLE_QUOT = Pattern.compile("&quot;");
    
        // @xxx could grow large... maybe use sesat's ReferenceMap
        private static final ConcurrentMap<String,Pattern> P_REMOVE_PAIR_BLANKS = new ConcurrentHashMap<String, Pattern>();
        private static final ConcurrentMap<String,Pattern> P_REMOVE_SELF_BLANKS = new ConcurrentHashMap<String, Pattern>();
    
        /** set of allowed html elements, along with allowed attributes for each element **/
        private final Map<String, List<String>> vAllowed;
        /** counts of open tags for each (allowable) html element **/
        private final Map<String, Integer> vTagCounts = new HashMap<String, Integer>();
    
        /** html elements which must always be self-closing (e.g. "<img />") **/
        private final String[] vSelfClosingTags;
        /** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
        private final String[] vNeedClosingTags;
        /** set of disallowed html elements **/
        private final String[] vDisallowed;
        /** attributes which should be checked for valid protocols **/
        private final String[] vProtocolAtts;
        /** allowed protocols **/
        private final String[] vAllowedProtocols;
        /** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
        private final String[] vRemoveBlanks;
        /** entities allowed within html markup **/
        private final String[] vAllowedEntities;
        /** flag determining whether comments are allowed in input String. */
        private final boolean stripComment;
        private final boolean encodeQuotes;
        private boolean vDebug = false;
        /**
         * flag determining whether to try to make tags when presented with "unbalanced"
         * angle brackets (e.g. "<b text </b>" becomes "<b> text </b>").  If set to false,
         * unbalanced angle brackets will be html escaped.
         */
        private final boolean alwaysMakeTags;
    
        /** Default constructor.
         *
         */
        public HTMLFilter() {
            vAllowed = new HashMap<>();
    
            final ArrayList<String> a_atts = new ArrayList<String>();
            a_atts.add("href");
            a_atts.add("target");
            vAllowed.put("a", a_atts);
    
            final ArrayList<String> img_atts = new ArrayList<String>();
            img_atts.add("src");
            img_atts.add("width");
            img_atts.add("height");
            img_atts.add("alt");
            vAllowed.put("img", img_atts);
    
            final ArrayList<String> no_atts = new ArrayList<String>();
            vAllowed.put("b", no_atts);
            vAllowed.put("strong", no_atts);
            vAllowed.put("i", no_atts);
            vAllowed.put("em", no_atts);
    
            vSelfClosingTags = new String[]{"img"};
            vNeedClosingTags = new String[]{"a", "b", "strong", "i", "em"};
            vDisallowed = new String[]{};
            vAllowedProtocols = new String[]{"http", "mailto", "https"}; // no ftp.
            vProtocolAtts = new String[]{"src", "href"};
            vRemoveBlanks = new String[]{"a", "b", "strong", "i", "em"};
            vAllowedEntities = new String[]{"amp", "gt", "lt", "quot"};
            stripComment = true;
            encodeQuotes = true;
            alwaysMakeTags = true;
        }
    
        /** Set debug flag to true. Otherwise use default settings. See the default constructor.
         *
         * @param debug turn debug on with a true argument
         */
        public HTMLFilter(final boolean debug) {
            this();
            vDebug = debug;
    
        }
    
        /** Map-parameter configurable constructor.
         *
         * @param conf map containing configuration. keys match field names.
         */
        public HTMLFilter(final Map<String,Object> conf) {
    
            assert conf.containsKey("vAllowed") : "configuration requires vAllowed";
            assert conf.containsKey("vSelfClosingTags") : "configuration requires vSelfClosingTags";
            assert conf.containsKey("vNeedClosingTags") : "configuration requires vNeedClosingTags";
            assert conf.containsKey("vDisallowed") : "configuration requires vDisallowed";
            assert conf.containsKey("vAllowedProtocols") : "configuration requires vAllowedProtocols";
            assert conf.containsKey("vProtocolAtts") : "configuration requires vProtocolAtts";
            assert conf.containsKey("vRemoveBlanks") : "configuration requires vRemoveBlanks";
            assert conf.containsKey("vAllowedEntities") : "configuration requires vAllowedEntities";
    
            vAllowed = Collections.unmodifiableMap((HashMap<String, List<String>>) conf.get("vAllowed"));
            vSelfClosingTags = (String[]) conf.get("vSelfClosingTags");
            vNeedClosingTags = (String[]) conf.get("vNeedClosingTags");
            vDisallowed = (String[]) conf.get("vDisallowed");
            vAllowedProtocols = (String[]) conf.get("vAllowedProtocols");
            vProtocolAtts = (String[]) conf.get("vProtocolAtts");
            vRemoveBlanks = (String[]) conf.get("vRemoveBlanks");
            vAllowedEntities = (String[]) conf.get("vAllowedEntities");
            stripComment =  conf.containsKey("stripComment") ? (Boolean) conf.get("stripComment") : true;
            encodeQuotes = conf.containsKey("encodeQuotes") ? (Boolean) conf.get("encodeQuotes") : true;
            alwaysMakeTags = conf.containsKey("alwaysMakeTags") ? (Boolean) conf.get("alwaysMakeTags") : true;
        }
    
        private void reset() {
            vTagCounts.clear();
        }
    
        private void debug(final String msg) {
            if (vDebug) {
                Logger.getAnonymousLogger().info(msg);
            }
        }
    
        //---------------------------------------------------------------
        // my versions of some PHP library functions
        public static String chr(final int decimal) {
            return String.valueOf((char) decimal);
        }
    
        public static String htmlSpecialChars(final String s) {
            String result = s;
            result = regexReplace(P_AMP, "&amp;", result);
            result = regexReplace(P_QUOTE, "&quot;", result);
            result = regexReplace(P_LEFT_ARROW, "&lt;", result);
            result = regexReplace(P_RIGHT_ARROW, "&gt;", result);
            return result;
        }
    
        //---------------------------------------------------------------
        /**
         * given a user submitted input String, filter out any invalid or restricted
         * html.
         *
         * @param input text (i.e. submitted by a user) than may contain html
         * @return "clean" version of input, with only valid, whitelisted html elements allowed
         */
        public String filter(final String input) {
            reset();
            String s = input;
    
            debug("************************************************");
            debug("              INPUT: " + input);
    
            s = escapeComments(s);
            debug("     escapeComments: " + s);
    
            s = balanceHTML(s);
            debug("        balanceHTML: " + s);
    
            s = checkTags(s);
            debug("          checkTags: " + s);
    
            s = processRemoveBlanks(s);
            debug("processRemoveBlanks: " + s);
    
            s = validateEntities(s);
            debug("    validateEntites: " + s);
    
            debug("************************************************
    
    ");
            return s;
        }
    
        public boolean isAlwaysMakeTags(){
            return alwaysMakeTags;
        }
    
        public boolean isStripComments(){
            return stripComment;
        }
    
        private String escapeComments(final String s) {
            final Matcher m = P_COMMENTS.matcher(s);
            final StringBuffer buf = new StringBuffer();
            if (m.find()) {
                final String match = m.group(1); //(.*?)
                m.appendReplacement(buf, Matcher.quoteReplacement("<!--" + htmlSpecialChars(match) + "-->"));
            }
            m.appendTail(buf);
    
            return buf.toString();
        }
    
        private String balanceHTML(String s) {
            if (alwaysMakeTags) {
                //
                // try and form html
                //
                s = regexReplace(P_END_ARROW, "", s);
                s = regexReplace(P_BODY_TO_END, "<$1>", s);
                s = regexReplace(P_XML_CONTENT, "$1<$2", s);
    
            } else {
                //
                // escape stray brackets
                //
                s = regexReplace(P_STRAY_LEFT_ARROW, "&lt;$1", s);
                s = regexReplace(P_STRAY_RIGHT_ARROW, "$1$2&gt;<", s);
    
                //
                // the last regexp causes '<>' entities to appear
                // (we need to do a lookahead assertion so that the last bracket can
                // be used in the next pass of the regexp)
                //
                s = regexReplace(P_BOTH_ARROWS, "", s);
            }
    
            return s;
        }
    
        private String checkTags(String s) {
            Matcher m = P_TAGS.matcher(s);
    
            final StringBuffer buf = new StringBuffer();
            while (m.find()) {
                String replaceStr = m.group(1);
                replaceStr = processTag(replaceStr);
                m.appendReplacement(buf, Matcher.quoteReplacement(replaceStr));
            }
            m.appendTail(buf);
    
            s = buf.toString();
    
            // these get tallied in processTag
            // (remember to reset before subsequent calls to filter method)
            for (String key : vTagCounts.keySet()) {
                for (int ii = 0; ii < vTagCounts.get(key); ii++) {
                    s += "</" + key + ">";
                }
            }
    
            return s;
        }
    
        private String processRemoveBlanks(final String s) {
            String result = s;
            for (String tag : vRemoveBlanks) {
                if(!P_REMOVE_PAIR_BLANKS.containsKey(tag)){
                    P_REMOVE_PAIR_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\s[^>]*)?></" + tag + ">"));
                }
                result = regexReplace(P_REMOVE_PAIR_BLANKS.get(tag), "", result);
                if(!P_REMOVE_SELF_BLANKS.containsKey(tag)){
                    P_REMOVE_SELF_BLANKS.putIfAbsent(tag, Pattern.compile("<" + tag + "(\s[^>]*)?/>"));
                }
                result = regexReplace(P_REMOVE_SELF_BLANKS.get(tag), "", result);
            }
    
            return result;
        }
    
        private static String regexReplace(final Pattern regex_pattern, final String replacement, final String s) {
            Matcher m = regex_pattern.matcher(s);
            return m.replaceAll(replacement);
        }
    
        private String processTag(final String s) {
            // ending tags
            Matcher m = P_END_TAG.matcher(s);
            if (m.find()) {
                final String name = m.group(1).toLowerCase();
                if (allowed(name)) {
                    if (!inArray(name, vSelfClosingTags)) {
                        if (vTagCounts.containsKey(name)) {
                            vTagCounts.put(name, vTagCounts.get(name) - 1);
                            return "</" + name + ">";
                        }
                    }
                }
            }
    
            // starting tags
            m = P_START_TAG.matcher(s);
            if (m.find()) {
                final String name = m.group(1).toLowerCase();
                final String body = m.group(2);
                String ending = m.group(3);
    
                //debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
                if (allowed(name)) {
                    String params = "";
    
                    final Matcher m2 = P_QUOTED_ATTRIBUTES.matcher(body);
                    final Matcher m3 = P_UNQUOTED_ATTRIBUTES.matcher(body);
                    final List<String> paramNames = new ArrayList<String>();
                    final List<String> paramValues = new ArrayList<String>();
                    while (m2.find()) {
                        paramNames.add(m2.group(1)); //([a-z0-9]+)
                        paramValues.add(m2.group(3)); //(.*?)
                    }
                    while (m3.find()) {
                        paramNames.add(m3.group(1)); //([a-z0-9]+)
                        paramValues.add(m3.group(3)); //([^"\s']+)
                    }
    
                    String paramName, paramValue;
                    for (int ii = 0; ii < paramNames.size(); ii++) {
                        paramName = paramNames.get(ii).toLowerCase();
                        paramValue = paramValues.get(ii);
    
    //          debug( "paramName='" + paramName + "'" );
    //          debug( "paramValue='" + paramValue + "'" );
    //          debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
    
                        if (allowedAttribute(name, paramName)) {
                            if (inArray(paramName, vProtocolAtts)) {
                                paramValue = processParamProtocol(paramValue);
                            }
                            params += " " + paramName + "="" + paramValue + """;
                        }
                    }
    
                    if (inArray(name, vSelfClosingTags)) {
                        ending = " /";
                    }
    
                    if (inArray(name, vNeedClosingTags)) {
                        ending = "";
                    }
    
                    if (ending == null || ending.length() < 1) {
                        if (vTagCounts.containsKey(name)) {
                            vTagCounts.put(name, vTagCounts.get(name) + 1);
                        } else {
                            vTagCounts.put(name, 1);
                        }
                    } else {
                        ending = " /";
                    }
                    return "<" + name + params + ending + ">";
                } else {
                    return "";
                }
            }
    
            // comments
            m = P_COMMENT.matcher(s);
            if (!stripComment && m.find()) {
                return  "<" + m.group() + ">";
            }
    
            return "";
        }
    
        private String processParamProtocol(String s) {
            s = decodeEntities(s);
            final Matcher m = P_PROTOCOL.matcher(s);
            if (m.find()) {
                final String protocol = m.group(1);
                if (!inArray(protocol, vAllowedProtocols)) {
                    // bad protocol, turn into local anchor link instead
                    s = "#" + s.substring(protocol.length() + 1, s.length());
                    if (s.startsWith("#//")) {
                        s = "#" + s.substring(3, s.length());
                    }
                }
            }
    
            return s;
        }
    
        private String decodeEntities(String s) {
            StringBuffer buf = new StringBuffer();
    
            Matcher m = P_ENTITY.matcher(s);
            while (m.find()) {
                final String match = m.group(1);
                final int decimal = Integer.decode(match).intValue();
                m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
            }
            m.appendTail(buf);
            s = buf.toString();
    
            buf = new StringBuffer();
            m = P_ENTITY_UNICODE.matcher(s);
            while (m.find()) {
                final String match = m.group(1);
                final int decimal = Integer.valueOf(match, 16).intValue();
                m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
            }
            m.appendTail(buf);
            s = buf.toString();
    
            buf = new StringBuffer();
            m = P_ENCODE.matcher(s);
            while (m.find()) {
                final String match = m.group(1);
                final int decimal = Integer.valueOf(match, 16).intValue();
                m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
            }
            m.appendTail(buf);
            s = buf.toString();
    
            s = validateEntities(s);
            return s;
        }
    
        private String validateEntities(final String s) {
            StringBuffer buf = new StringBuffer();
    
            // validate entities throughout the string
            Matcher m = P_VALID_ENTITIES.matcher(s);
            while (m.find()) {
                final String one = m.group(1); //([^&;]*)
                final String two = m.group(2); //(?=(;|&|$))
                m.appendReplacement(buf, Matcher.quoteReplacement(checkEntity(one, two)));
            }
            m.appendTail(buf);
    
            return encodeQuotes(buf.toString());
        }
    
        private String encodeQuotes(final String s){
            if(encodeQuotes){
                StringBuffer buf = new StringBuffer();
                Matcher m = P_VALID_QUOTES.matcher(s);
                while (m.find()) {
                    final String one = m.group(1); //(>|^)
                    final String two = m.group(2); //([^<]+?)
                    final String three = m.group(3); //(<|$)
                    m.appendReplacement(buf, Matcher.quoteReplacement(one + regexReplace(P_QUOTE, "&quot;", two) + three));
                }
                m.appendTail(buf);
                return buf.toString();
            }else{
                return s;
            }
        }
    
        private String checkEntity(final String preamble, final String term) {
    
            return ";".equals(term) && isValidEntity(preamble)
                    ? '&' + preamble
                    : "&amp;" + preamble;
        }
    
        private boolean isValidEntity(final String entity) {
            return inArray(entity, vAllowedEntities);
        }
    
        private static boolean inArray(final String s, final String[] array) {
            for (String item : array) {
                if (item != null && item.equals(s)) {
                    return true;
                }
            }
            return false;
        }
    
        private boolean allowed(final String name) {
            return (vAllowed.isEmpty() || vAllowed.containsKey(name)) && !inArray(name, vDisallowed);
        }
    
        private boolean allowedAttribute(final String name, final String paramName) {
            return allowed(name) && (vAllowed.isEmpty() || vAllowed.get(name).contains(paramName));
        }
    }
    View Code

    4.SQLFilter

    package com.wfcm.xss;
    
    import org.apache.commons.lang.StringUtils;
    
    import com.wfcm.utils.RRException;
    
    /**
     * sql过滤
     * 
     * @author xlf
     * @email xlfbe696@gmail.com
     * @date 2017年4月19日 上午10:41:25
     */
    public class SQLFilter {
    
        /**
         * SQL注入过滤
         * 
         * @param str
         *            待验证的字符串
         */
        public static String sqlInject(String str) {
            if (StringUtils.isBlank(str)) {
                return null;
            }
            // 去掉'|"|;|字符
            str = StringUtils.replace(str, "'", "");
            str = StringUtils.replace(str, """, "");
            str = StringUtils.replace(str, ";", "");
            str = StringUtils.replace(str, "\", "");
    
            // 转换成小写
            str = str.toLowerCase();
    
            // 非法字符
            String[] keywords = { "master", "truncate", "insert", "select", "delete", "update", "declare", "alert",
                    "create", "drop" };
            // 判断是否包含非法字符
            for (String keyword : keywords) {
                if (str.equals(keyword)) {
                    throw new RRException("包含非法字符", 1);
                }
            }
    
            return str;
        }
    }
    View Code

    第三步:大功告成!!

  • 相关阅读:
    在vue-cli中使用mock.js详解
    canvas水波纹效果
    echarts颜色渐变
    前端单词大全
    vue.js商城购买选择界面
    网站炫酷效果
    vue-cli中路由配置新写法
    Render函数
    XHTML与HTML的区别
    iview的table中点击Icon弹Poptip,render函数的写法
  • 原文地址:https://www.cnblogs.com/hero123/p/9091625.html
Copyright © 2020-2023  润新知