Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
I
ioc_sixiang_license
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
zengtianlai3
ioc_sixiang_license
Commits
267d5231
Commit
267d5231
authored
Jul 17, 2022
by
zengtianlai3
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
xss 测试
parent
fef5ddec
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
79 additions
and
0 deletions
+79
-0
ApplyController.java
.../java/iot/sixiang/license/controller/ApplyController.java
+2
-0
XssUtil.java
license/src/main/java/iot/sixiang/license/xss/XssUtil.java
+77
-0
No files found.
license/src/main/java/iot/sixiang/license/controller/ApplyController.java
View file @
267d5231
...
...
@@ -16,6 +16,7 @@ import iot.sixiang.license.model.PageInfoModel;
import
iot.sixiang.license.model.PageResult
;
import
iot.sixiang.license.model.vo.AppVo
;
import
iot.sixiang.license.service.ApplyService
;
import
iot.sixiang.license.xss.XssUtil
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.web.bind.WebDataBinder
;
import
org.springframework.web.bind.annotation.*
;
...
...
@@ -87,6 +88,7 @@ public class ApplyController {
public
PageResult
<
AppVo
>
getAppList
(
@RequestParam
(
value
=
"pageNo"
,
defaultValue
=
"0"
)
int
pageNo
,
@RequestParam
(
value
=
"pageSize"
,
defaultValue
=
"0"
)
int
pageSize
,
@RequestParam
(
value
=
"appName"
,
required
=
false
)
String
appName
)
{
appName
=
XssUtil
.
checkXSS
(
appName
);
PageInfoModel
<
AppVo
>
records
=
applyService
.
getAppList
(
pageNo
,
pageSize
,
appName
);
int
total
=
records
.
getTotal
();
int
pages
=
total
/
pageSize
;
//pages为总页数
...
...
license/src/main/java/iot/sixiang/license/xss/XssUtil.java
0 → 100644
View file @
267d5231
package
iot
.
sixiang
.
license
.
xss
;
import
iot.sixiang.license.consts.ResultCode
;
import
iot.sixiang.license.handler.IotLicenseException
;
import
org.owasp.esapi.ESAPI
;
import
java.util.regex.Pattern
;
import
static
java
.
util
.
regex
.
Pattern
.*;
/**
* Title: XssUtil
* Description: TODO
*
* @author tianlai3
* @date 2022-07-17 15:27:52
*/
public
class
XssUtil
{
public
static
String
checkXSS
(
String
value
)
{
if
(
value
!=
null
)
{
// 推荐使用ESAPI库来避免脚本攻击
value
=
ESAPI
.
encoder
().
canonicalize
(
value
);
// 避免空字符串
value
=
value
.
replaceAll
(
""
,
""
);
// 避免script 标签
Pattern
scriptPattern
=
Pattern
.
compile
(
"<script>(.*?)</script>"
,
CASE_INSENSITIVE
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
//避免src形式的表达式
//scriptPattern = compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", CASE_INSENSITIVE | MULTILINE | DOTALL);
//value = scriptPattern.matcher(value).replaceAll("");
scriptPattern
=
Pattern
.
compile
(
"src[\r\n]*=[\r\n]*\\\"(.*?)\\\""
,
CASE_INSENSITIVE
|
MULTILINE
|
DOTALL
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
// 删除单个的 </script> 标签
scriptPattern
=
Pattern
.
compile
(
"</script>"
,
CASE_INSENSITIVE
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
// 删除单个的<script ...> 标签
scriptPattern
=
Pattern
.
compile
(
"<script(.*?)>"
,
CASE_INSENSITIVE
|
MULTILINE
|
DOTALL
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
// 避免 eval(...) 形式表达式
scriptPattern
=
Pattern
.
compile
(
"eval\\((.*?)\\)"
,
CASE_INSENSITIVE
|
MULTILINE
|
DOTALL
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
// 避免 expression(...) 表达式
scriptPattern
=
Pattern
.
compile
(
"expression\\((.*?)\\)"
,
CASE_INSENSITIVE
|
MULTILINE
|
DOTALL
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
// 避免 javascript: 表达式
scriptPattern
=
Pattern
.
compile
(
"javascript:"
,
CASE_INSENSITIVE
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
// 避免 vbscript: 表达式
scriptPattern
=
Pattern
.
compile
(
"vbscript:"
,
CASE_INSENSITIVE
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
// 避免 onload= 表达式
scriptPattern
=
Pattern
.
compile
(
"onload(.*?)="
,
CASE_INSENSITIVE
|
MULTILINE
|
DOTALL
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
// 避免 onXX= 表达式
scriptPattern
=
Pattern
.
compile
(
"on.*(.*?)="
,
CASE_INSENSITIVE
|
MULTILINE
|
DOTALL
);
value
=
scriptPattern
.
matcher
(
value
).
replaceAll
(
""
);
if
(
value
.
length
()
==
0
)
{
throw
new
IotLicenseException
(
ResultCode
.
VALIDATE_FAILED
.
getCode
(),
"参数含有非法攻击字符,已禁止继续访问!!"
);
}
return
value
;
}
else
{
return
null
;
}
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment