对于程序员来说安全防御,无非从两个方面考虑,要么前端要么后台。
一、首先从前端考虑过滤一些非法字符。
前端的主控js中,在<textarea> 输入框标签中,
找到点击发送按钮后,追加到聊天panel前 进行过滤input输入内容
我要评论 1 // 过滤xss反射型漏洞
2 filterinputtxt: function (html) {
3 html = html.replace(/(.*<[^>]+>.*)/g,""); // html标记
4 html = html.replace(/([\r\n])[\s]+/g, ""); // 换行、空格
5 html = html.replace(/<!--.*-->/g, ""); // html注释
6 html = html.replace(/['"‘’“”!@#$%^&*{}!¥()()×+=]/g, ""); // 非法字符
7 html = html.replace("alert","");
8 html = html.replace("eval","");
9 html = html.replace(/(.*javascript.*)/gi,"");
10 if (html === "") {
11 html = "你好";
12 }
13 return html;
14 }
二、在后台api服务解决反射型xss漏洞
thinking:一般来说前端可以过滤一下基本的非法恶意代码攻击,如果恶意脚本被请求到服务端啦,那么就需要请求参数未请求接口前进行过滤一些非法字符。
handle:1、自定义过滤器实现filter接口
2、在dofilter方法中对request、response进行设置处理
##处理request请求参数。
1 /*
2 * copyright (c), 2001-2019, xiaoi机器人
3 * author: han.sun
4 * date: 2019/2/28 11:39
5 * history:
6 * <author> <time> <version> <desc>
7 * 作者姓名 修改时间 版本号 描述
8 */
9 package com.eastrobot.robotdev.filter;
10
11 import javax.servlet.http.httpservletrequest;
12 import javax.servlet.http.httpservletrequestwrapper;
13 import java.util.map;
14 import java.util.regex.matcher;
15 import java.util.regex.pattern;
16
17 /**
18 * 〈一句话功能简述〉<br>
19 * todo(解决反射型xss漏洞攻击)
20 *
21 * @author han.sun
22 * @version 1.0.0
23 * @since 2019/2/28 11:39
24 */
25 public class xsshttpservletrequestwrapper extends httpservletrequestwrapper {
26
27 /**
28 * 定义script的正则表达式
29 */
30 private static final string reg_script = "<script[^>]*?>[\\s\\s]*?</script>";
31
32 /**
33 * 定义style的正则表达式
34 */
35 private static final string reg_style = "<style[^>]*?>[\\s\\s]*?</style>";
36
37 /**
38 * 定义html标签的正则表达式
39 */
40 private static final string reg_html = "<[^>]+>";
41
42 /**
43 * 定义所有w标签
44 */
45 private static final string reg_w = "<w[^>]*?>[\\s\\s]*?</w[^>]*?>";
46
47 private static final string reg_javascript = ".*javascript.*";
48
49
50 xsshttpservletrequestwrapper(httpservletrequest request) {
51 super(request);
52 }
53
54 @suppresswarnings("rawtypes")
55 @override
56 public map<string, string[]> getparametermap() {
57 map<string, string[]> requestmap = super.getparametermap();
58 for (object o : requestmap.entryset()) {
59 map.entry me = (map.entry) o;
60 string[] values = (string[]) me.getvalue();
61 for (int i = 0; i < values.length; i++) {
62 values[i] = xssclean(values[i]);
63 }
64 }
65 return requestmap;
66 }
67
68 @override
69 public string[] getparametervalues(string paramstring) {
70 string[] values = super.getparametervalues(paramstring);
71 if (values == null) {
72 return null;
73 }
74 int i = values.length;
75 string[] result = new string[i];
76 for (int j = 0; j < i; j++) {
77 result[j] = xssclean(values[j]);
78 }
79 return result;
80 }
81
82 @override
83 public string getparameter(string paramstring) {
84 string str = super.getparameter(paramstring);
85 if (str == null) {
86 return null;
87 }
88 return xssclean(str);
89 }
90
91
92 @override
93 public string getheader(string paramstring) {
94 string str = super.getheader(paramstring);
95 if (str == null) {
96 return null;
97 }
98 str = str.replaceall("[\r\n]", "");
99 return xssclean(str);
100 }
101
102 /**
103 * [xssclean 过滤特殊、敏感字符]
104 * @param value [请求参数]
105 * @return [value]
106 */
107 private string xssclean(string value) {
108 if (value == null || "".equals(value)) {
109 return value;
110 }
111 pattern pw = pattern.compile(reg_w, pattern.case_insensitive);
112 matcher mw = pw.matcher(value);
113 value = mw.replaceall("");
114
115 pattern script = pattern.compile(reg_script, pattern.case_insensitive);
116 value = script.matcher(value).replaceall("");
117
118 pattern style = pattern.compile(reg_style, pattern.case_insensitive);
119 value = style.matcher(value).replaceall("");
120
121 pattern htmltag = pattern.compile(reg_html, pattern.case_insensitive);
122 value = htmltag.matcher(value).replaceall("");
123
124 pattern javascript = pattern.compile(reg_javascript, pattern.case_insensitive);
125 value = javascript.matcher(value).replaceall("");
126 return value;
127 }
128
129 }
##自定义filter过滤器。
1 /*
2 * copyright (c), 2001-2019, xiaoi机器人
3 * author: han.sun
4 * date: 2019/2/28 11:38
5 * history:
6 * <author> <time> <version> <desc>
7 * 作者姓名 修改时间 版本号 描述
8 */
9 package com.eastrobot.robotdev.filter;
10
11 import javax.servlet.*;
12 import javax.servlet.http.httpservletrequest;
13 import javax.servlet.http.httpservletresponse;
14 import java.io.ioexception;
15
16 /**
17 * 〈在服务器端对 cookie 设置了httponly 属性,
18 * 那么js脚本就不能读取到cookie,
19 * 但是浏览器还是能够正常使用cookie〉<br>
20 * todo(禁用js脚步读取用户浏览器中的cookie)
21 *
22 * @author han.sun
23 * @version 1.0.0
24 * @since 2019/2/28 16:38
25 */
26 public class xssfilter implements filter {
27
28 @override
29 public void init(filterconfig filterconfig) throws servletexception {
30
31 }
32
33 @override
34 public void dofilter(servletrequest request, servletresponse response, filterchain chain) throws ioexception, servletexception {
35
36 httpservletrequest req = (httpservletrequest) request;
37 httpservletresponse resp = (httpservletresponse) response;
38
39 // 解决动态脚本获取网页cookie,将cookie设置成httponly
40 string sessionid = req.getsession().getid();
41 resp.setheader("set-cookie", "jsessionid=" + sessionid + "; httponly");
42 resp.setheader("x-frame-options", "sameorigin");
43
44 chain.dofilter(new xsshttpservletrequestwrapper((httpservletrequest) request), response);
45 }
46
47 @override
48 public void destroy() {
49 }
50 }
需要在web.xml文件中添加自定义过滤器映射,让其起作用
1 <filter> 2 <filter-name>xssescape</filter-name> 3 <filter-class>com.eastrobot.robotdev.filter.xssfilter</filter-class> 4 </filter> 5 <filter-mapping> 6 <filter-name>xssescape</filter-name> 7 <url-pattern>/*</url-pattern> 8 </filter-mapping>
如对本文有疑问, 点击进行留言回复!!
java8 map集合还可以这样根据value升降序,代码瞬间提升了bo格
springboot TCP socket通信远程监听采集数据.
网友评论