前端处理方法:
function checkXSS(param){
var pattern = /<[^>]+>|alert(.*)/;
var str = “”;
$("[id=’"+ param +"’]").each(function () {
str += $(this).val();
});
if (pattern.test(str)){
$.umapMessager.alert([[#{common.hint}]], [[#{config.cvalue.validate}]]);
return true;
}
}
后端加过滤器的例子:
@PropertySource(value = {“classpath:security.properties”})
@ConfigurationProperties(prefix = “security”)
@Component
@Data
public class SecurityParam {
private String antiparam;
private String whiteparam;
}
security.properties:
#antiparam xcc/css
security.antiparam=<,>,%3c,set-cookie,src="javascript:,ProcessBuilder,alert(,expression(,function(,confirm(,prompt(,)(
security.whiteparam=<=
@WebFilter(filterName = “specialChar”, urlPatterns = {"/*"})
@Slf4j
public class AntiParamFilter implements Filter {
private String[] paramVulnerabilityFilter; //需要防护的非法关键字
private String[] whiteParams;
@Autowired
private SecurityParam securityParam;
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
String result = null;
Map<String, String[]> params = req.getParameterMap();
for (String key : params.keySet()) { //每个参数进行漏洞检测,当检测到一个漏洞后就停止
String[] paramValues = params.get(key);
if (paramValues != null && paramValues.length > 0) {
for (String paramValue : paramValues) {
if (existSecurityVulnerability(paramValue.toLowerCase())) {
result = paramValue;
break;
}
}
}
if (StringUtils.isNotBlank(result)) {
break;
}
}
if (StringUtils.isNotBlank(result)) {
log.error("Maybe There is Param is Invalid");
writeVulnerability("Param is Invalid", response);
} else {
chain.doFilter(request, response);
}
}
private void writeVulnerability(String message, ServletResponse response) {
HttpServletResponse resp = (HttpServletResponse) response;
resp.setContentType("text/html;charset=utf8");
resp.setCharacterEncoding("UTF-8");
PrintWriter out;
try {
out = response.getWriter();
out.println(message);
} catch (IOException e) {
e.printStackTrace();
}
}
/**
* 安全漏洞判断,若存在漏洞返回true,否则返回false
*
* @param paramValue 需要检测的参数值
* @return
*/
private boolean existSecurityVulnerability(String paramValue) {
if (null != paramVulnerabilityFilter) {
for (String valnerKey : paramVulnerabilityFilter) {
int index = paramValue.indexOf(valnerKey);
if (index > -1 && (!isWhiteParam(index, paramValue))) {
return true;
}
}
}
return false;
}
/**
* 参数白名单格式
*
* @param index
* @param paramValue
* @return
*/
private boolean isWhiteParam(int index, String paramValue) {
if (null != whiteParams) {
for (String whitekey : whiteParams) {
if (index == paramValue.indexOf(whitekey)) {
return true;
}
}
}
return false;
}
@Override
public void init(FilterConfig arg0) throws ServletException {
String antiparam = securityParam.getAntiparam();
paramVulnerabilityFilter = antiparam != null ? antiparam.toLowerCase().split(",") : null;
String whiteParam = securityParam.getWhiteparam();
whiteParams = whiteParam != null ? whiteParam.toLowerCase().split(",") : null;
}
}
来源:oschina
链接:https://my.oschina.net/u/4343139/blog/4463627