Java处理XSS漏洞的工具类代码详解编程语言

public class AntiXSS { 
	/** 
	 * 滤除content中的危险 HTML 代码, 主要是脚本代码, 滚动字幕代码以及脚本事件处理代码 
	 *  
	 * @param content 
	 *            需要滤除的字符串 
	 * @return 过滤的结果 
	 */ 
	public static String replaceHtmlCode(String content) { 
		if (null == content) { 
			return null; 
		} 
		if (0 == content.length()) { 
			return ""; 
		} 
		// 需要滤除的脚本事件关键字 
		String[] eventKeywords = { "onmouseover", "onmouseout", "onmousedown", 
				"onmouseup", "onmousemove", "onclick", "ondblclick", 
				"onkeypress", "onkeydown", "onkeyup", "ondragstart", 
				"onerrorupdate", "onhelp", "onreadystatechange", "onrowenter", 
				"onrowexit", "onselectstart", "onload", "onunload", 
				"onbeforeunload", "onblur", "onerror", "onfocus", "onresize", 
				"onscroll", "oncontextmenu", "alert" }; 
		content = replace(content, "<script", "<script", false); 
		content = replace(content, "</script", "</script", false); 
		content = replace(content, "<marquee", "<marquee", false); 
		content = replace(content, "</marquee", "</marquee", false); 
		content = replace(content, "'", "_", false);// 将单引号替换成下划线 
		content = replace(content, "/"", "_", false);// 将双引号替换成下划线 
		// 滤除脚本事件代码 
		for (int i = 0; i < eventKeywords.length; i++) { 
			content = replace(content, eventKeywords[i], 
					"_" + eventKeywords[i], false); // 添加一个"_", 使事件代码无效 
		} 
		return content; 
	} 
 
	/** 
	 * 将字符串 source 中的 oldStr 替换为 newStr, 并以大小写敏感方式进行查找 
	 *  
	 * @param source 
	 *            需要替换的源字符串 
	 * @param oldStr 
	 *            需要被替换的老字符串 
	 * @param newStr 
	 *            替换为的新字符串 
	 */ 
	private static String replace(String source, String oldStr, String newStr) { 
		return replace(source, oldStr, newStr, true); 
	} 
 
	/** 
	 * 将字符串 source 中的 oldStr 替换为 newStr, matchCase 为是否设置大小写敏感查找 
	 *  
	 * @param source 
	 *            需要替换的源字符串 
	 * @param oldStr 
	 *            需要被替换的老字符串 
	 * @param newStr 
	 *            替换为的新字符串 
	 * @param matchCase 
	 *            是否需要按照大小写敏感方式查找 
	 */ 
	private static String replace(String source, String oldStr, String newStr, 
			boolean matchCase) { 
		if (source == null) { 
			return null; 
		} 
		// 首先检查旧字符串是否存在, 不存在就不进行替换 
		if (source.toLowerCase().indexOf(oldStr.toLowerCase()) == -1) { 
			return source; 
		} 
		int findStartPos = 0; 
		int a = 0; 
		while (a > -1) { 
			int b = 0; 
			String str1, str2, str3, str4, strA, strB; 
			str1 = source; 
			str2 = str1.toLowerCase(); 
			str3 = oldStr; 
			str4 = str3.toLowerCase(); 
			if (matchCase) { 
				strA = str1; 
				strB = str3; 
			} else { 
				strA = str2; 
				strB = str4; 
			} 
			a = strA.indexOf(strB, findStartPos); 
			if (a > -1) { 
				b = oldStr.length(); 
				findStartPos = a + b; 
				StringBuffer bbuf = new StringBuffer(source); 
				source = bbuf.replace(a, a + b, newStr) + ""; 
				// 新的查找开始点位于替换后的字符串的结尾 
				findStartPos = findStartPos + newStr.length() - b; 
			} 
		} 
		return source; 
	} 
	 
	public static void main(String [] args){ 
		//String str = "./fabu-advSousuo.jsp?userName=xxx<script>alert(123);</script>&password=yyy"; 
		String str= "http://192.168.63.87:7001/xxx/xxxx/fabu-search.jsp?searchText=<script>alert('11');</script>"; 
		System.out.println(AntiXSS.replaceHtmlCode(str)); 
	}
}

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/pnotes/10281.html

(0)
上一篇 2021年7月19日 10:09
下一篇 2021年7月19日 10:09

相关推荐

发表回复

登录后才能评论