Implementation of JSP filters to prevent Xss vulnerabilities (SHARE), jspxss

Implementation of JSP filters to prevent Xss vulnerabilities (SHARE), jspxss

When java is used for web service development, the few parameters received on the page are unpredictable, A large number of parameter names and parameter values do not trigger Xss vulnerabilities. To avoid Xss vulnerabilities, developers usually add various encode methods to the page output and data warehouse receiving to avoid Xss problems. Due to the different levels of developers and the differences in security awareness during code writing, users may be carelessly missed to encode the user input. For business scenarios where such a large number of parameters cannot cause Xss and SQL Injection Vulnerabilities, you can use a common processing method applicable to most business scenarios to sacrifice a small amount of user experience, to avoid Xss vulnerabilities and SQL injection.

That is, the Servlet filter mechanism is used to compile a custom XssFilter, And the request proxy is overwritten. The getParameter and getHeader Methods forcibly replace the specified half-width characters in the parameter name and parameter value with the full-width characters. In this way, you do not have to worry about abnormal input during service layer processing.

The Filter encapsulates the request.

XssFilter. Java

package filter;  import java.io.IOException;  import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest;  public class XssFilter implements Filter {  public void init(FilterConfig config) throws ServletException { }  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException  { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( (HttpServletRequest) request); chain.doFilter(xssRequest, response); }  public void destroy() { } } 

The request packer is used to filter out invalid characters.

XssHttpServletRequestWrapper. java

Package filter; import javax. servlet. http. httpServletRequest; import javax. servlet. http. httpServletRequestWrapper; public class extends HttpServletRequestWrapper {HttpServletRequest orgRequest = null; public extends (HttpServletRequest request) {super (request); orgRequest = request;}/*** overwrites the getParameter method, filter both the parameter name and value by xss. <Br/> * to obtain the original value, use super. getParameterValues (name) to obtain <br/> * getParameterNames, getParameterValues, and getParameterMap may also need to overwrite */@ Override public String getParameter (String name) {String value = super. getParameter (xssEncode (name); if (value! = Null) {value = xssEncode (value);} return value;}/*** overwrites the getHeader method and filters both the parameter name and parameter value for xss. <Br/> * to obtain the original value, use super. getHeaders (name) to obtain <br/> * getHeaderNames may also need to overwrite */@ Override public String getHeader (String name) {String value = super. getHeader (xssEncode (name); if (value! = Null) {value = xssEncode (value);} return value ;} /*** Replace the half-width characters that are prone to xss vulnerabilities with the full-width characters ** @ param s * @ return */private static String xssEncode (String s) {if (s = null | s. isEmpty () {return s;} StringBuilder sb = new StringBuilder (s. length () + 16); for (int I = 0; I <s. length (); I ++) {char c = s. charAt (I); switch (c) {case '>': sb. append ('>'); // specifies break; case '<': sb. append ('<'); // The full-width corner is smaller than the break; case '\ '': sb. append ('''); // full-angle single quotes break; case '\ "': sb. append ('); // full-width double quotation mark break; case' & ': sb. append ('&'); // full-width break; case '\': sb. append ('\'); // full-width diagonal line break; case '#': sb. append ('#'); // full-angle Well number break; default: sb. append (c); break;} return sb. toString ();}/*** get the most primitive request ** @ return */public HttpServletRequest getOrgRequest () {return orgRequest ;} /*** obtain the original request's static method ** @ return */public static HttpServletRequest getOrgRequest (HttpServletRequest req) {if (req instanceof XssHttpServletRequestWrapper) {return (response) req ). getOrgRequest () ;}return req ;}}

Add in web. xml

<filter> <filter-name>xssFilter</filter-name> <filter-class>filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> 

The above JSP filter implementation method to prevent Xss vulnerabilities (SHARE) is all the content shared by Alibaba Cloud xiaobian. I hope you can give us a reference and support for the help house.