js解决跨站点脚本编制问题

1.前台处理（容易绕过）：

<script type="text/javascript">
 $(document).ready(function(){
 var url=window.location.href;

 window.location.href=HTMLEnCode(url);
});

function HTMLEnCode(str) {
var s = "";
if (str.length == 0) return "";
s = str.replace(/&/g, "&gt;");
s = s.replace(/</g, "");
s = s.replace(/>/g, "");
s = s.replace(/ /g, "");
s = s.replace(/"/g, "");
s = s.replace(/'/g, "");
s = s.replace(/
/g, "");
s = s.replace(///g, "");
s = s.replace(/(/g, "");
s = s.replace(/)/g, "");
s = s.replace(/=/g, "");

return s;
} });
 </script>

2.后台处理：

    /**
     * 危险字符过滤方法
     * @param str
     * @return
     * @throws Exception
     */
    public static String dangerousCharacterFilter(String str) {
        //一种解决SQL盲注的后台过虑，其方式就是将可能出现的非法字符进行规制
        //java代码替换特殊字符
        //str="^&h\/!@#$%^&*()+|/jgfj&%fgd''$#$@!)(}|";
        if(str!=null){
            str = str.replaceAll("(\|)", "");
            str = str.replaceAll("(\&)", "");
            str = str.replaceAll("(\;)", "");
            str = str.replaceAll("(\$)", "");
            str = str.replaceAll("(\%)", "");
            str = str.replaceAll("(\@)", "");
            str = str.replaceAll("(\')", "");
            str = str.replaceAll("(\")", "");
            str = str.replaceAll("(\>)", "");
            str = str.replaceAll("(\<)", "");
            str = str.replaceAll("(\))", "");
            str = str.replaceAll("(\()", "");
            str = str.replaceAll("(\+)", "");
            //str = str.replaceAll("(\CR)", "");  //回车符 ASCII 0x0d
            //str = str.replaceAll("(\LF)", "");  //换行 ASCII 0x0a
            str = str.replaceAll("(\,)", "");
            str = str.replaceAll("(\\)", "");
            str = str.replaceAll("(\#|$)", "");
       }
       return str;
    }

3.添加过滤器（暂时没做）

相关阅读:
List
美团Leaf分布式ID生成策略
单点登陆
ElasticSearch
Eureka
Nginx
UML
Computer English
加密
Excel中把一列数据转换成逗号隔开的一行

原文地址：https://www.cnblogs.com/shuilangyizu/p/7273652.html