ä¸ãmavenãantisamyä»ç»ä»¥åXSSï¼
antisamyæ¯owaspçå¼æºé¡¹ç®ï¼å®ç¨æ¥ç¡®ä¿ç¨æ·è¾å
¥çHTML/CSS符ååºç¨è§èçAPIï¼å¯ä»¥ææé²æ¢xssæ»å»ãå®æä¾äºç¨äºéªè¯ç¨æ·è¾å
¥çå¯ææ¬ä»¥é²å¾¡è·¨ç«èæ¬çAPIï¼éç¨äºjavaç¼åçweb项ç®ãå®æä¾äºä¸äºæ åçç¥æ件ï¼æ ¹æ®èªå·±äº§åçå®é
éæ±ï¼å¨æ¤åºç¡ä¸é
ç½®ä¸ä»½éåèªå·±äº§åççç¥æ件ã
å
·ä½åè
http://anquan.163.com/module/pedia/article-00016.html
äºãæéçç¸å
³æ件ï¼
ä¸ãantisamyå¨eclipseçé
ç½®
注æTomcatåºç¨æå¡å¨çå®è£
ãå
·ä½è¯¦è§ http://jingyan.baidu.com/article/3065b3b6efa9d7becff8a4c6.html
ã
转æ¢ä¸ºmaven项ç®ååç°å¨Librariesä¸ä¸ºåç°mavençä¸æèåï¼å¦ä¸å¾æ示ï¼
解å³æ¹æ³ï¼
ä¿®æ¹pom.xmlä¸ç代ç ï¼å³å¢å 以ä¸ä»£ç ï¼
-
<dependencies>
-
<dependency>
-
<groupId>log4j</groupId>
-
<artifactId>log4j</artifactId>
-
<version>1.2.12</version>
-
</dependency>
-
<dependency>
-
<groupId>org.owasp.antisamy</groupId>
-
<artifactId>antisamy</artifactId>
-
<version>1.5.3</version>
-
</dependency>
-
lt;/dependencies>
ä¿ååå·æ°é¡¹ç®å³å¯ä»¥çå°mavenä¸åºç°äºç¸å
³çjaræ件ï¼å³å·²ç»å°è¯¥jarå
è¿è¡äºä¸è½½ï¼èä¸éè¦èªå·±å¨ä¸è½½å¨å å
¥pathè·¯å¾ï¼
æ¤æ¶ï¼å³å°mavenåantisamyé
ç½®å®æã
æ´ä½æªå¾ï¼
pom.xml代ç ï¼
-
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-
<modelVersion>4.0.0</modelVersion>
-
<groupId>webTest</groupId>
-
<artifactId>webTest</artifactId>
-
<version>0.0.1-SNAPSHOT</version>
-
<packaging>war</packaging>
-
<build>
-
<sourceDirectory>src</sourceDirectory>
-
<resources>
-
<resource>
-
<directory>src</directory>
-
<excludes>
-
<exclude>**/*.java</exclude>
-
</excludes>
-
</resource>
-
</resources>
-
<plugins>
-
<plugin>
-
<artifactId>maven-compiler-plugin</artifactId>
-
<version>3.3</version>
-
<configuration>
-
<source>1.8</source>
-
<target>1.8</target>
-
</configuration>
-
</plugin>
-
<plugin>
-
<artifactId>maven-war-plugin</artifactId>
-
<version>2.6</version>
-
<configuration>
-
<warSourceDirectory>WebContent</warSourceDirectory>
-
<failOnMissingWebXml>false</failOnMissingWebXml>
-
</configuration>
-
</plugin>
-
</plugins>
-
</build>
-
<dependencies>
-
<dependency>
-
<groupId>log4j</groupId>
-
<artifactId>log4j</artifactId>
-
<version>1.2.12</version>
-
</dependency>
-
<dependency>
-
<groupId>org.owasp.antisamy</groupId>
-
<artifactId>antisamy</artifactId>
-
<version>1.5.3</version>
-
</dependency>
-
</dependencies>
-
</project>
å¢å äºä»¥ä¸ä»£ç ï¼
åãtomcatå®è£
è¿éä¾èµäºãeclipseå建javaweb项ç®çç¯å¢é
ç½®ã
å
·ä½åè§http://blog.****.net/redarmy_chen/article/details/7048317
ä¹å¯ä»¥åç
§ä»¥ä¸é¾æ¥å®è£
åé¨ç½²ï¼
http://jingyan.baidu.com/article/3065b3b6efa9d7becff8a4c6.html
éè¦æ³¨æçæ¯å¨æ·»å ç®å½æ¶è¦éç¨è±æåã
äºã代ç
XssFilter.java代ç å¦****æ代ç çå
çï¼
-
import java.io.IOException;
-
import javax.servlet.Filter;
-
import javax.servlet.FilterChain;
-
import javax.servlet.FilterConfig;
-
import javax.servlet.ServletException;
-
import javax.servlet.ServletRequest;
-
import javax.servlet.ServletResponse;
-
import javax.servlet.http.HttpServletRequest;
-
public class XssFilter implements Filter {
-
@SuppressWarnings("unused")
-
private FilterConfig filterConfig;
-
public void destroy() {
-
this.filterConfig = null;
-
}
-
public void doFilter(ServletRequest request, ServletResponse response,
-
FilterChain chain) throws IOException, ServletException {
-
chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);
-
}
-
public void init(FilterConfig filterConfig) throws ServletException {
-
this.filterConfig = filterConfig;
-
}
-
}
ç¸å
³ä»£ç ç注éå¯ä»¥åè§ï¼
http://blog.****.net/goskalrie/article/details/51350736
RequestWrapper.java代ç ï¼
-
import java.util.Iterator;
-
import java.util.Map;
-
-
import javax.servlet.http.HttpServletRequest;
-
import javax.servlet.http.HttpServletRequestWrapper;
-
-
import org.owasp.validator.html.AntiSamy;
-
import org.owasp.validator.html.CleanResults;
-
import org.owasp.validator.html.Policy;
-
import org.owasp.validator.html.PolicyException;
-
import org.owasp.validator.html.ScanException;
-
-
public class RequestWrapper extends HttpServletRequestWrapper {
-
-
public RequestWrapper(HttpServletRequest request) {
-
super(request);
-
}
-
-
@SuppressWarnings({ "rawtypes", "unchecked" })
-
public Map<String,String[]> getParameterMap(){
-
Map<String,String[]> request_map = super.getParameterMap();
-
Iterator iterator = request_map.entrySet().iterator();
-
while(iterator.hasNext()){
-
Map.Entry me = (Map.Entry)iterator.next();
-
//System.out.println(me.getKey()+":");
-
String[] values = (String[])me.getValue();
-
for(int i = 0 ; i < values.length ; i++){
-
System.out.println(values[i]);
-
values[i] = xssClean(values[i]);
-
}
-
}
-
return request_map;
-
}
-
-
@SuppressWarnings({ "rawtypes", "unchecked" })
-
public String getParameter(String name) {
-
String v=super.getParameter(name);
-
if(v==null)
-
return null;
-
return xssClean(v);
-
}
-
-
@SuppressWarnings({ "rawtypes", "unchecked" })
-
public String[] getParameterValues(String name) {
-
String[] v=super.getParameterValues(name);
-
if(v==null || v.length==0)
-
return v;
-
for(int i=0;i<v.length;i++){
-
v[i]=xssClean(v[i]);
-
}
-
return v;
-
}
-
-
private String xssClean(String value) {
-
AntiSamy antiSamy = new AntiSamy();
-
try {
-
Policy policy = Policy.getInstance("/antisamy-slashdot.xml");
-
//CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath);
-
final CleanResults cr = antiSamy.scan(value, policy);
-
//ç¹å¤åé¨å¥TMLææ³å
-
-
System.out.println("clean:"+cr.getCleanHTML());
-
-
return cr.getCleanHTML();
-
} catch (ScanException e) {
-
e.printStackTrace();
-
} catch (PolicyException e) {
-
e.printStackTrace();
-
}
-
return value;
-
}
-
}
web.xml代ç ï¼
-
<?xml version="1.0" encoding="UTF-8"?>
-
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-
xmlns="http://java.sun.com/xml/ns/javaee"
-
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
-
id="WebApp_ID" version="2.5">
-
<display-name>sdl</display-name>
-
<!-- XSS -->
-
<filter>
-
<filter-name>XSS</filter-name>
-
<filter-class>XssFilter</filter-class>
-
</filter>
-
-
<filter-mapping>
-
<filter-name>XSS</filter-name>
-
<url-pattern>/*</url-pattern>
-
</filter-mapping>
-
<welcome-file-list>
-
<welcome-file>index.html</welcome-file>
-
<welcome-file>index.htm</welcome-file>
-
<welcome-file>index.jsp</welcome-file>
-
<welcome-file>default.html</welcome-file>
-
<welcome-file>default.htm</welcome-file>
-
<welcome-file>default.jsp</welcome-file>
-
</welcome-file-list>
-
</web-app>
å
ãéªè¯
htmlTest.html代ç
-
<!DOCTYPE html>
-
<html>
-
<head>
-
<meta charset="UTF-8">
-
<title>Insert title here</title>
-
</head>
-
<body>
-
<form action="main.jsp" method="POST">
-
First Name: <input type="text" name="first_name">
-
<br />
-
Last Name: <input type="text" name="last_name" />
-
<input type="submit" value="Submit" />
-
</form>
-
</body>
-
</html>
å¦ä¸æ示ï¼
main.jsp代ç ï¼
-
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
-
pageEncoding="ISO-8859-1"%>
-
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-
<html>
-
<head>
-
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-
<title>Insert title here</title>
-
</head>
-
<body>
-
<center>
-
<h1>Using GET Method to Read Form Data</h1>
-
<ul>
-
<li><p><b>First Name:</b>
-
<%= request.getParameter("first_name")%>
-
</p></li>
-
<li><p><b>Last Name:</b>
-
<%= request.getParameter("last_name")%>
-
</p></li>
-
</ul>
-
</body>
-
</html>
å¦ä¸æ示ï¼
