XSS
1.web.xml添加
<filter> <filter-name>XSSFilter</filter-name> <filter-class>com.jd.ihotel.pc.webapp.filters.NewXssFilter</filter-class> </filter> <filter-mapping> <filter-name>XSSFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
2.新建
NewXssFilter类
import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import java.io.IOException; public class NewXssFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new NewXssHttpServletRequestWraper( (HttpServletRequest)request), response);//对request和response进行过滤 } @Override public void destroy() { } }
新建NewXssHttpServletRequestWraper类
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class NewXssHttpServletRequestWraper extends HttpServletRequestWrapper { public NewXssHttpServletRequestWraper(HttpServletRequest request) { super(request); } @Override public String getParameter(String name) { return clearXss(super.getParameter(name)); } @Override public String getHeader(String name) { return clearXss(super.getHeader(name)); } @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if (values == null) { return null; } String[] newValues = new String[values.length]; for (int i = 0; i < values.length; i++) { newValues[i] = clearXss(values[i]); } return newValues; } /** * 处理字符转义 * * @param value * @return */ private String clearXss(String value) { if (value == null || "".equals(value)) { return value; } value = value .replaceAll("'","") .replaceAll("\'","") .replaceAll("`","") //.replaceAll("\"","“") .replaceAll("<","") .replaceAll(">","") .replaceAll("\\(","(") .replaceAll("\\)",")") //.replaceAll("&","&") .replaceAll("eval","") .replaceAll("java","") .replaceAll("script","") .replaceAll("alert","") .replaceAll("prompt",""); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); return value; } }
下面的代码配置的过滤器必须有吗?作用是?
<filter> <filter-name>XssEscape</filter-name> <filter-class>com.jd.ihotel.pc.webapp.filters.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>XssEscape</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
也可以简答粗暴不用过滤器这么写:
private String stripXSS(String value) { if (value != null) { value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("\\(", "(").replaceAll("\\)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("script", ""); value = value.replaceAll("%", ""); value = value.replaceAll(";", ""); } return value; }
CSRF:
1.web.xml中配置:
<servlet> <servlet-name>mvc</servlet-name> <servlet-class> org.springframework.web.servlet.DispatcherServlet </servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring-web-config.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>2.
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/submitOrder.html" /> <mvc:mapping path="/ihtrade/unpaidCancel.html"/> <mvc:mapping path="/ihtrade/cancel.html"/> <bean class="com.jd.ihtrade.core.intercepter.CheckRefferIntercepter" /> </mvc:interceptor> </mvc:interceptors> </beans>
3.新建拦截器里配置的类:
import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.net.URI; public class CheckRefferIntercepter implements HandlerInterceptor{ private Logger logger = LoggerFactory.getLogger(CheckRefferIntercepter.class); @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { String referer = request.getHeader("referer"); StringBuffer requestURL = request.getRequestURL(); if(referer == null || referer.isEmpty()) { return false ; } try{ if (referer.contains("?")){ referer = referer.substring(0, referer.indexOf("?")); } URI referUri = new URI(referer); String domain = referUri.getHost(); logger.info("请求目的地URL:{}来源URL:{}验证:{}",requestURL,referer,domain); if(domain != null){ if( domain.endsWith("360buy.com") || domain.endsWith("jd.com") || domain.endsWith("jd.net") || domain.endsWith("jd.hk") ) { return true; } } } catch (Exception e){ logger.error("--invalid uri--" + referer, e); return false ; } return false ; } @Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { } @Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception { } }