Commit 267d5231 authored by zengtianlai3's avatar zengtianlai3

xss 测试

parent fef5ddec
......@@ -16,6 +16,7 @@ import iot.sixiang.license.model.PageInfoModel;
import iot.sixiang.license.model.PageResult;
import iot.sixiang.license.model.vo.AppVo;
import iot.sixiang.license.service.ApplyService;
import iot.sixiang.license.xss.XssUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.*;
......@@ -87,6 +88,7 @@ public class ApplyController {
public PageResult<AppVo> getAppList(@RequestParam(value = "pageNo", defaultValue = "0") int pageNo,
@RequestParam(value = "pageSize", defaultValue = "0") int pageSize,
@RequestParam(value = "appName", required = false) String appName) {
appName = XssUtil.checkXSS(appName);
PageInfoModel<AppVo> records = applyService.getAppList(pageNo, pageSize, appName);
int total = records.getTotal();
int pages = total / pageSize;//pages为总页数
......
package iot.sixiang.license.xss;
import iot.sixiang.license.consts.ResultCode;
import iot.sixiang.license.handler.IotLicenseException;
import org.owasp.esapi.ESAPI;
import java.util.regex.Pattern;
import static java.util.regex.Pattern.*;
/**
* Title: XssUtil
* Description: TODO
*
* @author tianlai3
* @date 2022-07-17 15:27:52
*/
public class XssUtil {
public static String checkXSS(String value) {
if (value != null) {
// 推荐使用ESAPI库来避免脚本攻击
value = ESAPI.encoder().canonicalize(value);
// 避免空字符串
value = value.replaceAll("", "");
// 避免script 标签
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
//避免src形式的表达式
//scriptPattern = compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", CASE_INSENSITIVE | MULTILINE | DOTALL);
//value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 删除单个的 </script> 标签
scriptPattern = Pattern.compile("</script>", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 删除单个的<script ...> 标签
scriptPattern = Pattern.compile("<script(.*?)>", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 eval(...) 形式表达式
scriptPattern = Pattern.compile("eval\\((.*?)\\)", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 e­xpression(...) 表达式
scriptPattern = Pattern.compile("expression\\((.*?)\\)", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 javascript: 表达式
scriptPattern = Pattern.compile("javascript:", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 vbscript: 表达式
scriptPattern = Pattern.compile("vbscript:", CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 onload= 表达式
scriptPattern = Pattern.compile("onload(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 onXX= 表达式
scriptPattern = Pattern.compile("on.*(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
if (value.length() == 0) {
throw new IotLicenseException(ResultCode.VALIDATE_FAILED.getCode(), "参数含有非法攻击字符,已禁止继续访问!!");
}
return value;
} else {
return null;
}
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment