防止SQL注入和XSS攻击Filter
2013-10-12 10:39
316 查看
使用IBM的安全漏洞扫描工具扫描出一堆漏洞,下面的filter主要是解决防止SQL注入和XSS攻击
一个是Filter负责将请求的request包装一下。
一个是request包装器,负责过滤掉非法的字符。
将这个过滤器配置上以后,世界总算清净多了。。
代码如下:
[java]
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/**
* <code>{@link CharLimitFilter}</code>
*
* 拦截防止sql注入
*
* @author Administrator
*/
publicclass XssFilter implements Filter {
/* (non-Javadoc)
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
publicvoid doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
filterChain.doFilter(xssRequest, response);
}
}
包装器:
[java]
/**
* <code>{@link XssHttpServletRequestWrapper}</code>
*
* TODO : document me
*
* @author Administrator
*/
publicclass XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
/**
* 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
/**
* 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
* 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
* getHeaderNames 也可能需要覆盖
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
/**
* 将容易引起xss漏洞的半角字符直接替换成全角字符
*
* @param s
* @return
*/
privatestatic String xssEncode(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case'>':
sb.append('>');//全角大于号
break;
case'<':
sb.append('<');//全角小于号
break;
case'\'':
sb.append('‘');//全角单引号
break;
case'\"':
sb.append('“');//全角双引号
break;
case'&':
sb.append('&');//全角
break;
case'\\':
sb.append('\');//全角斜线
break;
case'#':
sb.append('#');//全角井号
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
/**
* 获取最原始的request
*
* @return
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 获取最原始的request的静态方法
*
* @return
*/
publicstatic HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) req).getOrgRequest();
}
return req;
}
}
web.xml文件
<!-- 解决xss漏洞 -->
<filter>
<filter-name>xssFilter</filter-name>
<filter-class>com.baidu.rigel.sandbox.core.filter.XSSFilter</filter-class>
</filter>
<!-- 解决xss漏洞 -->
<filter-mapping>
<filter-name>xssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
一个是Filter负责将请求的request包装一下。
一个是request包装器,负责过滤掉非法的字符。
将这个过滤器配置上以后,世界总算清净多了。。
代码如下:
[java]
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/**
* <code>{@link CharLimitFilter}</code>
*
* 拦截防止sql注入
*
* @author Administrator
*/
publicclass XssFilter implements Filter {
/* (non-Javadoc)
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
publicvoid doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
filterChain.doFilter(xssRequest, response);
}
}
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; /** * <code>{@link CharLimitFilter}</code> * * 拦截防止sql注入 * * @author Administrator */ public class XssFilter implements Filter { /* (non-Javadoc) * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( (HttpServletRequest) request); filterChain.doFilter(xssRequest, response); } }
包装器:
[java]
/**
* <code>{@link XssHttpServletRequestWrapper}</code>
*
* TODO : document me
*
* @author Administrator
*/
publicclass XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
/**
* 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
/**
* 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
* 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
* getHeaderNames 也可能需要覆盖
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (value != null) {
value = xssEncode(value);
}
return value;
}
/**
* 将容易引起xss漏洞的半角字符直接替换成全角字符
*
* @param s
* @return
*/
privatestatic String xssEncode(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case'>':
sb.append('>');//全角大于号
break;
case'<':
sb.append('<');//全角小于号
break;
case'\'':
sb.append('‘');//全角单引号
break;
case'\"':
sb.append('“');//全角双引号
break;
case'&':
sb.append('&');//全角
break;
case'\\':
sb.append('\');//全角斜线
break;
case'#':
sb.append('#');//全角井号
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
/**
* 获取最原始的request
*
* @return
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 获取最原始的request的静态方法
*
* @return
*/
publicstatic HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) req).getOrgRequest();
}
return req;
}
}
web.xml文件
<!-- 解决xss漏洞 -->
<filter>
<filter-name>xssFilter</filter-name>
<filter-class>com.baidu.rigel.sandbox.core.filter.XSSFilter</filter-class>
</filter>
<!-- 解决xss漏洞 -->
<filter-mapping>
<filter-name>xssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
相关文章推荐
- 真是企业级项目需求之--------防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- Filter:防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- 防止SQL注入和XSS攻击Filter
- Yii框架防止sql注入,xss攻击与csrf攻击的方法
- addslashes,htmlspecialchars,htmlentities转换或者转义php特殊字符防止xss攻击以及sql注入
- filter通过装饰者模式防止XSS攻击
- 使用Filter防止XSS攻击
- 防止Xss攻击和Sql注入
- Yii框架防止sql注入,xss攻击与csrf攻击的方法
- Yii框架防止sql注入,xss攻击与csrf攻击的方法
- 360[警告]跨站脚本攻击漏洞/java web利用Filter防止XSS/Spring MVC防止XSS攻击
- 防止xss攻击与sql注入
- CI 防止sql注入和xss攻击
- 字符过滤器和防止XSS攻击,SQL注入的过滤器
- 防止常见XSS 过滤 SQL注入 JAVA过滤器filter