Spring MVC里面xss攻击的预防

关于xss的介绍可以看 Asp.net安全架构之1：xss（跨站脚本）和腾讯微博的XSS攻击漏洞网页，

具体我就讲讲Spring MVC里面的预防：

第一种方法,使用Spring MVC

web.xml加上：

<context-param>

<param-name>defaultHtmlEscape</param-name>

<param-value>true</param-value>

</context-param>

Forms加上：

1	<spring:htmlEscape defaultHtmlEscape="true" />

更多信息查看OWASP的页面

第二种方法是手动escape

例如用户可以输入：

1	<script>alert();</script>

或者输入

1	<h2>abc<h2>

,如果有异常,显然有xss漏洞。
首先添加一个jar包:commons-lang-2.5.jar,然后在后台调用这些函数：

StringEscapeUtils.escapeHtml(string);

StringEscapeUtils.escapeJavaScript(string);

StringEscapeUtils.escapeSql(string);

前台js调用escape函数即可。

第三种方法是后台加Filter,对每个post请求的参数过滤一些关键字,替换成安全的

例如：< > ‘ “ \ / # &
方法是实现一个自定义的HttpServletRequestWrapper，然后在Filter里面调用它，替换掉getParameter函数即可。
首先添加一个XssHttpServletRequestWrapper:

package com.ibm.web.beans;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {

super(servletRequest);

}

public String[] getParameterValues(String parameter) {

String[] values = super.getParameterValues(parameter);

if (values==null) {

return null;

}

int count = values.length;

String[] encodedValues = new String[count];

for (int i = 0; i < count; i++) {

encodedValues[i] = cleanXSS(values[i]);

}

return encodedValues;

}

public String getParameter(String parameter) {

String value = super.getParameter(parameter);

if (value == null) {

return null;

}

return cleanXSS(value);

}

public String getHeader(String name) {

String value = super.getHeader(name);

if (value == null)

return null;

return cleanXSS(value);

}

private String cleanXSS(String value) {

//You'll need to remove the spaces from the html entities below

value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");

value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");

value = value.replaceAll("'", "& #39;");

value = value.replaceAll("eval\\((.*)\\)", "");

value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");

value = value.replaceAll("script", "");

return value;

}

然后添加一个过滤器XssFilter ：

package com.ibm.web.beans;

import java.io.IOException;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

public class XssFilter implements Filter {

FilterConfig filterConfig = null;

public void init(FilterConfig filterConfig) throws ServletException {

this.filterConfig = filterConfig;

}

public void destroy() {

this.filterConfig = null;

}

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain chain) throws IOException, ServletException {

chain.doFilter(new XssHttpServletRequestWrapper(

(HttpServletRequest) request), response);

}

最后在web.xml里面配置一下，所有的请求的getParameter会被替换，如果参数里面含有敏感词会被替换掉：

<filter-name>XssSqlFilter</filter-name>

<filter-class>com.ibm.web.beans.XssFilter</filter-class>

</filter>

<filter-mapping>

<filter-name>XssSqlFilter</filter-name>

<url-pattern>/*</url-pattern>

<dispatcher>REQUEST</dispatcher>

</filter-mapping>

(这个Filter也可以防止SQL注入攻击)