FilesExpand file tree

 master

/

XssHttpServletRequestWrapper.java

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

226 lines (204 loc) · 6.59 KB

 master

/

XssHttpServletRequestWrapper.java

Top

File metadata and controls

• Code
• Blame

226 lines (204 loc) · 6.59 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

import java.util.HashMap;

import java.util.Iterator;

import java.util.Map;

import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.lang.ArrayUtils;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

HttpServletRequest orgRequest = null;

public XssHttpServletRequestWrapper(HttpServletRequest request) {

super(request);

orgRequest = request;

}

/**

* 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/>

* 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>

* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖

*/

@Override

public String getParameter(String name) {

String value = super.getParameter(xssEncode(name));

if (value != null) {

value = xssEncode(value);

}

return value;

}

@Override

public Map<String, String[]> getParameterMap() {

// change values to value

Map<String, String[]> parameterMap = super.getParameterMap();

Map<String, String[]> parameters = new HashMap<String, String[]>(parameterMap.size());

for (Iterator it = parameterMap.keySet().iterator(); it.hasNext();) {

Object key = it.next();

String[] values = (String[]) parameterMap.get(key);

if (values != null && values.length > 0) {

int count = values.length;

String[] encodedValues =new String[count];

for(int i =0; i < count; i++){

encodedValues[i]= xssEncode(values[i]);

}

parameters.put((String)key, encodedValues);

}

}

return parameters;

}

@Override

public String[] getParameterValues(String name) {

String[] values =super.getParameterValues(name);

if(values ==null){

return null;

}

int count = values.length;

String[] encodedValues =new String[count];

for(int i =0; i < count; i++){

encodedValues[i]= xssEncode(values[i]);

}

return encodedValues;

}

/**

* 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>

* 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/>

* getHeaderNames 也可能需要覆盖

*/

@Override

public String getHeader(String name) {

String value = super.getHeader(xssEncode(name));

if (value != null) {

value = xssEncode(value);

}

return value;

}

/**

* 将容易引起xss漏洞的半角字符直接替换成全角字符

*

* @param s

* @return

*/

public String xssEncode(String s) {

if (s == null || s.isEmpty()) {

return s;

}

String result = stripXSS(s);

if (null != result) {

result = escape(result);

}

return result;

}

/**

* 获取最原始的request

*

* @return

*/

public HttpServletRequest getOrgRequest() {

return orgRequest;

}

/**

* 获取最原始的request的静态方法

*

* @return

*/

public static HttpServletRequest getOrgRequest(HttpServletRequest req) {

if (req instanceof XssHttpServletRequestWrapper) {

return ((XssHttpServletRequestWrapper) req).getOrgRequest();

}

return req;

}

public String escape(String s) {

StringBuilder sb = new StringBuilder(s.length() + 16);

for (int i = 0; i < s.length(); i++) {

char c = s.charAt(i);

switch (c) {

case '>':

sb.append('＞');// 全角大于号

break;

case '<':

sb.append('＜');// 全角小于号

break;

case '\'':

sb.append('‘');// 全角单引号

break;

case '\"':

sb.append('“');// 全角双引号

break;

case '\\':

sb.append('＼');// 全角斜线

break;

case '%':

sb.append('％'); // 全角冒号

break;

default:

sb.append(c);

break;

}

}

return sb.toString();

}

private String stripXSS(String value) {

if (value != null) {

// NOTE: It's highly recommended to use the ESAPI library and

// uncomment the following line to

// avoid encoded attacks.

// value = ESAPI.encoder().canonicalize(value);

// Avoid null characters

value = value.replaceAll("", "");

// Avoid anything between script tags

Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>",

Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid anything in a src='...' type of expression

scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE

| Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE

| Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// Remove any lonesome </script> tag

scriptPattern = Pattern.compile("</script>",

Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// Remove any lonesome <script ...> tag

scriptPattern = Pattern.compile("<script(.*?)>",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE

| Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid eval(...) expressions

scriptPattern = Pattern.compile("eval\\((.*?)\\)",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE

| Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid expression(...) expressions

scriptPattern = Pattern.compile("expression\\((.*?)\\)",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE

| Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid javascript:... expressions

scriptPattern = Pattern.compile("javascript:",

Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid vbscript:... expressions

scriptPattern = Pattern.compile("vbscript:",

Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// Avoid onload= expressions

scriptPattern = Pattern.compile("onload(.*?)=",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE

| Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

scriptPattern = Pattern.compile("<iframe>(.*?)</iframe>",

Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

scriptPattern = Pattern.compile("</iframe>",

Pattern.CASE_INSENSITIVE);

value = scriptPattern.matcher(value).replaceAll("");

// Remove any lonesome <script ...> tag

scriptPattern = Pattern.compile("<iframe(.*?)>",

Pattern.CASE_INSENSITIVE | Pattern.MULTILINE

| Pattern.DOTALL);

value = scriptPattern.matcher(value).replaceAll("");

}

return value;

}

}