Java處理XSS漏洞的工具類代碼

EdwinByars 8年前發布 | 5K 次閱讀 Java 

public class AntiXSS {
    /**



 * 濾除content中的危險 HTML 代碼, 主要是腳本代碼, 滾動字幕代碼以及腳本事件處理代碼
 * 
 * @param content
 *            需要濾除的字符串
 * @return 過濾的結果
 */
public static String replaceHtmlCode(String content) {
    if (null == content) {
        return null;
    }
    if (0 == content.length()) {
        return "";
    }
    // 需要濾除的腳本事件關鍵字
    String[] eventKeywords = { "onmouseover", "onmouseout", "onmousedown",
            "onmouseup", "onmousemove", "onclick", "ondblclick",
            "onkeypress", "onkeydown", "onkeyup", "ondragstart",
            "onerrorupdate", "onhelp", "onreadystatechange", "onrowenter",
            "onrowexit", "onselectstart", "onload", "onunload",
            "onbeforeunload", "onblur", "onerror", "onfocus", "onresize",
            "onscroll", "oncontextmenu", "alert" };
    content = replace(content, "<script", "<script", false);
    content = replace(content, "</script", "</script", false);
    content = replace(content, "<marquee", "<marquee", false);
    content = replace(content, "</marquee", "</marquee", false);
    content = replace(content, "'", "_", false);// 將單引號替換成下劃線
    content = replace(content, "\"", "_", false);// 將雙引號替換成下劃線
    // 濾除腳本事件代碼
    for (int i = 0; i < eventKeywords.length; i++) {
        content = replace(content, eventKeywords[i],
                "_" + eventKeywords[i], false); // 添加一個"_", 使事件代碼無效
    }
    return content;
}

/**
 * 將字符串 source 中的 oldStr 替換為 newStr, 并以大小寫敏感方式進行查找
 * 
 * @param source
 *            需要替換的源字符串
 * @param oldStr
 *            需要被替換的老字符串
 * @param newStr
 *            替換為的新字符串
 */
private static String replace(String source, String oldStr, String newStr) {
    return replace(source, oldStr, newStr, true);
}

/**
 * 將字符串 source 中的 oldStr 替換為 newStr, matchCase 為是否設置大小寫敏感查找
 * 
 * @param source
 *            需要替換的源字符串
 * @param oldStr
 *            需要被替換的老字符串
 * @param newStr
 *            替換為的新字符串
 * @param matchCase
 *            是否需要按照大小寫敏感方式查找
 */
private static String replace(String source, String oldStr, String newStr,
        boolean matchCase) {
    if (source == null) {
        return null;
    }
    // 首先檢查舊字符串是否存在, 不存在就不進行替換
    if (source.toLowerCase().indexOf(oldStr.toLowerCase()) == -1) {
        return source;
    }
    int findStartPos = 0;
    int a = 0;
    while (a > -1) {
        int b = 0;
        String str1, str2, str3, str4, strA, strB;
        str1 = source;
        str2 = str1.toLowerCase();
        str3 = oldStr;
        str4 = str3.toLowerCase();
        if (matchCase) {
            strA = str1;
            strB = str3;
        } else {
            strA = str2;
            strB = str4;
        }
        a = strA.indexOf(strB, findStartPos);
        if (a > -1) {
            b = oldStr.length();
            findStartPos = a + b;
            StringBuffer bbuf = new StringBuffer(source);
            source = bbuf.replace(a, a + b, newStr) + "";
            // 新的查找開始點位于替換后的字符串的結尾
            findStartPos = findStartPos + newStr.length() - b;
        }
    }
    return source;
}

public static void main(String [] args){
    //String str = "./fabu-advSousuo.jsp?userName=xxx<script>alert(123);</script>&password=yyy";
    String str= "http://192.168.63.87:7001/xxx/xxxx/fabu-search.jsp?searchText=<script>alert('11');</script>";
    System.out.println(AntiXSS.replaceHtmlCode(str));
}</pre> 



}
 本文由用戶 EdwinByars 自行上傳分享,僅供網友學習交流。所有權歸原作者,若您的權利被侵害,請聯系管理員。
 轉載本站原創文章,請注明出處,并保留原始鏈接、圖片水印。
 本站是一個以用戶分享為主的開源技術平臺,歡迎各類分享!