[Switch] HttpServletRequestWrapper implements xss injection,
Here we talk about our solutions in the recent project, mainly using the org. apache. commons. lang3.StringEscapeUtils. escapeHtml4 () method of the commons-lang3-3.1.jar package. The solution mainly involves two steps: user input and display output: special characters such as <> "'& escape are input, and jstl fn: excapeXml (" fff ") is used for output ") method. The input filter is implemented using a filter. implementation process: Add a filter to the web. xml file.
<filter> <filter-name>XssEscape</filter-name> <filter-class>cn.pconline.morden.filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>XssEscape</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>
The XssFilter implementation method is to implement the servlet Filter interface.
package cn.pconline.morden.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; public class XssFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); } @Override public void destroy() { } }
The key is the implementation method of XssHttpServletRequestWrapper, inherit the servlet's HttpServletRequestWrapper, and rewrite several methods that may carry xss attacks, such:
package cn.pconline.morden.filter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.apache.commons.lang3.StringEscapeUtils; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } @Override public String getHeader(String name) { return StringEscapeUtils.escapeHtml4(super.getHeader(name)); } @Override public String getQueryString() { return StringEscapeUtils.escapeHtml4(super.getQueryString()); } @Override public String getParameter(String name) { return StringEscapeUtils.escapeHtml4(super.getParameter(name)); } @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if(values != null) { int length = values.length; String[] escapseValues = new String[length]; for(int i = 0; i < length; i++){ escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]); } return escapseValues; } return super.getParameterValues(name); } }
So far, the input filtering is complete.
When displaying data on the page, you simply use fn: escapeXml () to escape the output where the xss vulnerability may occur.
Display complex content, and analyze specific issues.
In some cases, you can use the StringEscapeUtils. unescapeHtml4 () method to restore the escape characters After StringEscapeUtils. escapeHtml4.