http://blog.csdn.NET/feng_an_qi/article/details/45666813

Java Filter過濾xss註入非法參數的方法

web.xml:

1. <filter>
2. <filter-name>XSSFiler</filter-name>
3. <filter-class>
4. com.paic.mall.web.filter.XssSecurityFilter
5. </filter-class>
6. </filter>
7. <filter-mapping>
8. <filter-name>XSSFiler</filter-name>
9. <url-pattern>*.jsp</url-pattern>
10. </filter-mapping>
11. <filter-mapping>
12. <filter-name>XSSFiler</filter-name>
13. <url-pattern>*.do</url-pattern>
14. </filter-mapping>
15. <filter-mapping>
16. <filter-name>XSSFiler</filter-name>
17. <url-pattern>*.screen</url-pattern>
18. </filter-mapping>
19. <filter-mapping>
20. <filter-name>XSSFiler</filter-name>
21. <url-pattern>*.shtml</url-pattern>
22. </filter-mapping>
23. <filter-mapping>
24. <filter-name>XSSFiler</filter-name>
25. <servlet-name>dispatcher</servlet-name>
26. </filter-mapping>

XssSecurityFilter.Java

1. public class XssSecurityFilter implements Filter {
3. protected final Logger log = Logger.getLogger(this.getClass());
5. public void init(FilterConfig config) throws ServletException {
6. if(log.isInfoEnabled()){
7. log.info("XSSSecurityFilter Initializing ");
8. }
9. }
11. /**
12. * 銷毀操作
13. */
14. public void destroy() {
15. if(log.isInfoEnabled()){
16. log.info("XSSSecurityFilter destroy() end");
17. }
18. }
20. public void doFilter(ServletRequest request, ServletResponse response,
21. FilterChain chain) throws IOException, ServletException {
22. HttpServletRequest httpRequest = (HttpServletRequest)request;
24. XssHttpRequestWrapper xssRequest = new XssHttpRequestWrapper(httpRequest);
25. httpRequest = XssSecurityManager.wrapRequest(xssRequest);
26. chain.doFilter(xssRequest, response);
27. }
29. }

XssHttpRequestWrapper.Java

1. /**
2. * @author
3. * @date
4. * @describe 主要是對參數進行xss過濾，替換原始的request的getParameter相關功能
5. * 線程不安全
6. *
7. */
8. public class XssHttpRequestWrapper extends HttpServletRequestWrapper {
10. protected Map parameters;
15. /**
16. * 封裝http請求
17. *
18. * @param request
19. */
20. public XssHttpRequestWrapper(HttpServletRequest request) {
21. super(request);
22. }
25. @Override
26. public void setCharacterEncoding(String enc)
27. throws UnsupportedEncodingException {
28. super.setCharacterEncoding(enc);
29. //當編碼重新設置時，重新加載重新過濾緩存。
30. refiltParams();
31. }
33. void refiltParams(){
34. parameters=null;
35. }
37. @Override
38. public String getParameter(String string) {
39. String strList[] = getParameterValues(string);
40. if (strList != null && strList.length > 0)
41. return strList[0];
42. else
43. return null;
44. }
46. @Override
47. public String[] getParameterValues(String string) {
48. if (parameters == null) {
49. paramXssFilter();
50. }
51. return (String[]) parameters.get(string);
52. }
54. @Override
55. public Map getParameterMap() {
56. if (parameters == null) {
57. paramXssFilter();
58. }
59. return parameters;
60. }
62. /**
63. *
64. * 校驗參數，若含xss漏洞的字符,進行替換
65. */
66. private void paramXssFilter() {
67. parameters = getRequest().getParameterMap();
68. XssSecurityManager.filtRequestParams(parameters, this.getServletPath());
69. }
71. }

XssSecurityManager.java

1. /**
2. * @author
3. * @date
4. * @describe 安全過濾配置管理類，統一替換可能造成XSS漏洞的字符為中文字符
5. */
6. public class XssSecurityManager {
8. private static Logger log = Logger.getLogger(XssSecurityManager.class);
10. // 危險的javascript:關鍵字j av a script
11. private final static Pattern[] DANGEROUS_TOKENS = new Pattern[] { Pattern
12. .compile("^j\\s*a\\s*v\\s*a\\s*s\\s*c\\s*r\\s*i\\s*p\\s*t\\s*:",
13. Pattern.CASE_INSENSITIVE) };
15. // javascript:替換字符串（全角中文字符）
16. private final static String[] DANGEROUS_TOKEN_REPLACEMENTS = new String[] { "ＪＡＶＡＳＣＲＩＰＴ：" };
18. // 非法的字符集
19. private static final char[] INVALID_CHARS = new char[] { ‘<‘, ‘>‘, ‘\‘‘,
20. ‘\"‘, ‘\\‘ };
22. // 統一替換可能造成XSS漏洞的字符為全角中文字符
23. private static final char[] VALID_CHARS = new char[] { ‘＜‘, ‘＞‘, ‘’‘, ‘“‘,
24. ‘＼‘ };
26. // 開啟xss過濾功能開關
27. public static boolean enable=false;
29. // url-patternMap(符合條件的url-param進行xss過濾）<String ArrayList>
30. public static Map urlPatternMap = new HashMap();
32. private static HashSet excludeUris=new HashSet();
34. private XssSecurityManager() {
35. // 不可被實例化
36. }
37. static {
38. init();
39. }
41. private static void init() {
42. try {
43. String xssConfig = "/xss_security_config.xml";
44. if(log.isDebugEnabled()){
45. log.debug("XSS config file["+xssConfig+"] init...");
46. }
47. InputStream is = XssSecurityManager.class
48. .getResourceAsStream(xssConfig);
49. if (is == null) {
50. log.warn("XSS config file["+xssConfig+"] not found.");
51. }else{
52. // 初始化過濾配置文件
53. initConfig(is);
54. log.info("XSS config file["+xssConfig+"] init completed.");
55. }
56. }
57. catch (Exception e) {
59. log.error("XSS config file init fail:"+e.getMessage(), e);
60. }
62. }
64. private static void initConfig(InputStream is) throws Exception{
65. DocumentBuilderFactory factory=DocumentBuilderFactory.newInstance();
67. DocumentBuilder builder=factory.newDocumentBuilder();
69. Element root = builder.parse(is).getDocumentElement();
70. //-------------------
71. NodeList nl=root.getElementsByTagName("enable");
72. Node n=null;
73. if(nl!=null && nl.getLength()>0){
74. n=((org.w3c.dom.Element)nl.item(0)).getFirstChild();
75. }
76. if(n!=null){
77. enable = new Boolean(n.getNodeValue().trim()).booleanValue();
78. }
79. log.info("XSS switch="+enable);
80. //-------------------------
81. nl=root.getElementsByTagName("filter-mapping");
82. NodeList urlPatternNodes=null;
83. if(nl!=null && nl.getLength()>0){
84. Element el=(Element)nl.item(0);
85. urlPatternNodes=el.getElementsByTagName("url-pattern");
86. //-----------------------------------------------------
87. NodeList nl2=el.getElementsByTagName("exclude-url");
88. if(nl2!=null && nl2.getLength()>0){
89. for(int i=0;i<nl2.getLength();i++){
90. Element e=(Element)urlPatternNodes.item(i);
91. Node paramNode=e.getFirstChild();
92. if(paramNode!=null){
93. String paramName=paramNode.getNodeValue().trim();
94. if(paramName.length()>0){
95. excludeUris.add(paramName.toLowerCase());
96. }
97. }
98. }
99. }
100. }
101. //----------------------
102. if(urlPatternNodes!=null && urlPatternNodes.getLength()>0){
103. for(int i=0;i<urlPatternNodes.getLength();i++){
104. Element e=(Element)urlPatternNodes.item(i);
105. String urlPattern=e.getAttribute("value");
106. if(urlPattern!=null && (urlPattern=urlPattern.trim()).length()>0){
107. List filtParamList = new ArrayList(2);
108. if(log.isDebugEnabled()){
109. log.debug("Xss filter mapping:"+urlPattern);
110. }
111. //-------------------------------
112. NodeList temp=e.getElementsByTagName("include-param");
113. if(temp!=null && temp.getLength()>0){
114. for(int m=0;m<temp.getLength();m++){
115. Node paramNode=(temp.item(m)).getFirstChild();
116. if(paramNode!=null){
117. String paramName=paramNode.getNodeValue().trim();
118. if(paramName.length()>0){
119. filtParamList.add(paramName);
120. }
121. }
123. }
125. }
126. //一定得將url轉換為小寫
127. urlPatternMap.put(urlPattern.toLowerCase(), filtParamList);
128. }
129. }
130. }
132. //----------------------
133. }
135. public static HttpServletRequest wrapRequest(HttpServletRequest httpRequest){
136. if(httpRequest instanceof XssHttpRequestWrapper){
137. // log.info("httpRequest instanceof XssHttpRequestWrapper");
138. //include/forword指令會重新進入此Filter
139. XssHttpRequestWrapper temp=(XssHttpRequestWrapper)httpRequest;
140. //include指令會增加參數，這裏需要清理掉緩存
141. temp.refiltParams();
142. return temp;
143. }else{
144. // log.info("httpRequest is not instanceof XssHttpRequestWrapper");
145. return httpRequest;
146. }
147. }
149. public static List getFiltParamNames(String url){
150. //獲取需要xss過濾的參數
151. url = url.toLowerCase();
152. List paramNameList = (ArrayList) urlPatternMap.get(url);
153. if(paramNameList==null || paramNameList.size()==0){
154. return null;
155. }
156. return paramNameList;
157. }
159. public static void filtRequestParams(Map params,String servletPath){
160. long t1=System.currentTimeMillis();
161. //得到需要過濾的參數名列表，如果列表是空的，則表示過濾所有參數
162. List filtParamNames=XssSecurityManager.getFiltParamNames(servletPath);
163. filtRequestParams(params, filtParamNames);
164. }
166. public static void filtRequestParams(Map params,List filtParamNames){
167. // 獲取當前參數集
168. Set parameterNames = params.keySet();
169. Iterator it = parameterNames.iterator();
170. //得到需要過濾的參數名列表，如果列表是空的，則表示過濾所有參數
172. while (it.hasNext()) {
173. String paramName = (String) it.next();
174. if(filtParamNames==null || filtParamNames.contains(paramName) ){
175. String[] values = (String[])params.get(paramName);
176. proceedXss(values);
177. }
178. }
179. }
183. /**
184. * 對參數進行防止xss漏洞處理
185. *
186. * @param value
187. * @return
188. */
189. private static void proceedXss(String[] values) {
190. for (int i = 0; i < values.length; ++i) {
191. String value = values[i];
192. if (!isNullStr(value)) {
193. values[i] = replaceSpecialChars(values[i]);
194. }
195. }
196. }
198. /**
199. * 替換非法字符以及危險關鍵字
200. *
201. * @param str
202. * @return
203. */
204. private static String replaceSpecialChars(String str) {
205. for (int j = 0; j < INVALID_CHARS.length; ++j) {
206. if (str.indexOf(INVALID_CHARS[j]) >= 0) {
207. str = str.replace(INVALID_CHARS[j], VALID_CHARS[j]);
208. }
209. }
210. str=str.trim();
211. for (int i = 0; i < DANGEROUS_TOKENS.length; ++i) {
212. str = DANGEROUS_TOKENS[i].matcher(str).replaceAll(
213. DANGEROUS_TOKEN_REPLACEMENTS[i]);
214. }
216. return str;
217. }
219. /**
220. * 判斷是否為空串，建議放到某個工具類中
221. *
222. * @param value
223. * @return
224. */
225. private static boolean isNullStr(String value) {
226. return value == null || value.trim().length()==0;
227. }
229. public static void main(String args[]) throws Exception{
230. Map datas=new HashMap();
231. String paramName="test";
232. datas.put(paramName,new String[]{ "Javascript:<script>alert(‘yes‘);</script>"});
233. filtRequestParams(datas,"/test/sample.do");
234. System.out.println(((String[])datas.get(paramName))[0]);
235. }
238. }

Java Filter過濾xss註入非法參數的方法