在线观看不卡亚洲电影_亚洲妓女99综合网_91青青青亚洲娱乐在线观看_日韩无码高清综合久久

鍍金池/ 問(wèn)答/Java  網(wǎng)絡(luò)安全/ java后臺(tái)怎么對(duì)ajax請(qǐng)求的內(nèi)容進(jìn)行xss轉(zhuǎn)義?

java后臺(tái)怎么對(duì)ajax請(qǐng)求的內(nèi)容進(jìn)行xss轉(zhuǎn)義?

找了幾個(gè)java后臺(tái)攔截xss的代碼,大致都是下面這樣

package com.ibm.web.beans;



import java.util.Enumeration;



import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;



public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  

    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {

        super(servletRequest);

    }

    public String[] getParameterValues(String parameter) {

      String[] values = super.getParameterValues(parameter);

      if (values==null)  {

                  return null;

          }

      int count = values.length;

      String[] encodedValues = new String[count];

      for (int i = 0; i < count; i++) {

                 encodedValues[i] = cleanXSS(values[i]);

       }

      return encodedValues;

    }

    public String getParameter(String parameter) {

          String value = super.getParameter(parameter);

          if (value == null) {

                 return null;

                  }

          return cleanXSS(value);

    }

    public String getHeader(String name) {

        String value = super.getHeader(name);

        if (value == null)

            return null;

        return cleanXSS(value);

    }

    private String cleanXSS(String value) {

                //You'll need to remove the spaces from the html entities below

        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");

        value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");

        value = value.replaceAll("'", "& #39;");

        value = value.replaceAll("eval\\((.*)\\)", "");

        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");

        value = value.replaceAll("script", "");

        return value;

    }



}

這里只對(duì)param做了轉(zhuǎn)義,請(qǐng)問(wèn)如何對(duì)ajax的json請(qǐng)求進(jìn)行轉(zhuǎn)義?

前臺(tái)代碼

$.ajaxSetup({
    contentType: 'application/json'
});

var obj = {"name" : "'", "code" : "<script>"}
$.post("/submit", JSON.stringify(obj), function (result, status) {
    alert('ok');
}, "json");

后臺(tái)代碼

@RequestMapping(value = "/submit", method = RequestMethod.POST)
public void submit(@RequestBody Student student) {
    System.out.println(student.getName());
    System.out.println(student.getCode());
}

這里對(duì)ajax提交的json代碼就沒(méi)有做轉(zhuǎn)義,我用的是spring,請(qǐng)問(wèn)該如何對(duì)ajax請(qǐng)求轉(zhuǎn)義,是使用aop對(duì)set方法攔截,還是修改HttpMessageConverter在json轉(zhuǎn)為java對(duì)象時(shí)轉(zhuǎn)義,還是其他方式?

回答
編輯回答
青裙

都需要轉(zhuǎn)義的,目前你的類(lèi)已經(jīng)實(shí)現(xiàn)了xss過(guò)濾
你只需要再加上filter

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req=(HttpServletRequest)request;
    chain.doFilter(new XssHttpServletRequestWrapper(req), response, chain);
}
2018年8月22日 06:22