サイト間スクリプトブロック-filter
5221 ワード
通常の攻撃予防は、このようなテストをしないと、フォームが提出されたときに次のテストをして、どのような効果があるかを見てみましょう.
package com.romeo.backbone.untils;
import java.io.UnsupportedEncodingException;
/**
*
*
* @author aGuang
*
*/
public class DangerString {
/*** * @param value* @return */
static public String filter(String value) {
if (value == null) {
return null;
}
StringBuffer result = new StringBuffer(value.length());
for (int i = 0; i < value.length(); ++i) {
switch (value.charAt(i)) {
case '<':
result.append("<");
break;
case '>':
result.append(">");
break;
case '"':
result.append(""");
break;
case '\'':
result.append("'");
break;
case '%':
result.append("%");
break;
case ';':
result.append(";");
break;
case '(':
result.append("(");
break;
case ')':
result.append(")");
break;
case '&':
result.append("&");
break;
case '+':
result.append("+");
break;
default:
result.append(value.charAt(i));
break;
}
}
return result.toString();
}
/**
*
*
* @param value
* @return
*/
static public String filterDangerString(String value) {
if (null == value)
return null;
value = value.replaceAll("script", "ipscrt");
value = value.replaceAll("applet", "letapp");
value = value.replaceAll("embed", "bedem");
return value;
}
/**
* inStr UTF - 8
*
* @param inStr
*
* @return UTF - 8
* @throws UnsupportedEncodingException
*/
static public String toUTF(String inStr) throws UnsupportedEncodingException {
String outStr = "";
if (inStr != null) {
// outStr=java.net.URLDecoder.decode(inStr);// decode ,
// decode
// UTF-8
outStr = new String(inStr.getBytes("iso-8859-1"), "UTF-8");
}
return outStr;
}
}
package com.gwtjs.filter;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class ParameterRequestWrapper extends HttpServletRequestWrapper {
public ParameterRequestWrapper(HttpServletRequest request) {
super(request);
}
private final Map<String, String[]> params;
@Override
public Enumeration<String> getParameterNames() {
Vector<String> l = new Vector<String>(params.keySet());
return l.elements();
}
@Override
public String[] getParameterValues(String name) {
Object v = params.get(name);
if (v == null) {
return null;
} else if (v instanceof String[]) {
return (String[]) v;
} else if (v instanceof String) {
return new String[] { (String) v };
} else {
return new String[] { v.toString() };
}
}
@Override
public String getParameter(String name) {
Object v = params.get(name);
if (v == null) {
return null;
} else if (v instanceof String[]) {
String[] strArr = (String[]) v;
if (strArr.length > 0) {
return strArr[0];
} else {
return null;
}
} else if (v instanceof String) {
return (String) v;
} else {
return v.toString();
}
}
}
package com.gwtjs.filter;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
import com.romeo.backbone.untils.DangerString;
public class HttpServletParamsRequestFilter implements Filter {
private static Logger logger = Logger.getLogger(HttpServletRequest.class);
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
String url = req.getRequestURL().toString();
String ip = req.getRemoteAddr();
String contextPath = req.getContextPath();
logger.info(url);
logger.info(ip);
logger.info(contextPath);
Map<String, String[]> parameterMap = req.getParameterMap();
List<String> keys = new ArrayList<String>();
keys.addAll(parameterMap.keySet());
keys.addAll(parameterMap.keySet());
for (int i = 0; i < keys.size(); i++) {
String key = keys.get(i);
String[] value = parameterMap.get(key);
for (int j = 0; j < value.length; j++) {
String val = DangerString.filter(value[j]);
value[j] = val;
}
}
ParameterRequestWrapper wrapRequest = new ParameterRequestWrapper(req,parameterMap);
chain.doFilter(wrapRequest, response);
}
public void destroy() {
// TODO Auto-generated method stub
}
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
}