碼上歡樂
相關內容    簡體    繁體

Java正則校驗XSS

本文轉載自   查看原文   2020-08-27 18:59   1279    Java/J2EE 
package com.cnblogs.tangyouwei.common.util;

import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * @author 唐有煒
 */
public class XssUtil {
    private static Pattern[] patterns = new Pattern[]{
            // Script fragments
            Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
            // src='...'
            Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // lonely script tags
            Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
            Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // eval(...)
            Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // expression(...)
            Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // javascript:...
            Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
            // vbscript:...
            Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
            // 空格英文單雙引號
            Pattern.compile("[\\s\'\"]+", Pattern.CASE_INSENSITIVE),
            // onload(...)=...
            Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // alert
            Pattern.compile("alert(.*?)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            Pattern.compile("<", Pattern.MULTILINE | Pattern.DOTALL),
            Pattern.compile(">", Pattern.MULTILINE | Pattern.DOTALL),
            //Checks any html tags i.e. <script, <embed, <object etc.
            Pattern.compile("(<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))")
    };

    /**
     * xss替換函數
     *
     * @param value 需要替換的字符
     * @return 替換后的字符
     */
    public static String stripXSS(String value) {
        if (value != null) {
            // TODO ESAPI library
            // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
            // avoid encoded attacks.
            // value = ESAPI.encoder().canonicalize(value);

            // Avoid null characters
            value = value.replaceAll("\0", "");

            // Remove all sections that match a pattern
            for (Pattern scriptPattern : patterns) {
                value = scriptPattern.matcher(value).replaceAll("");
            }
        }
        return value;
    }

    /**
     * xss校驗函數
     *
     * @param value 需要校驗的字符
     * @return 返回值:true 表示存在xss漏洞,false:不存在
     */
    public static boolean checkIsXSS(String value) {
        boolean isXss = false;
        if (value != null) {
            for (Pattern scriptPattern : patterns) {
                Matcher matcher = scriptPattern.matcher(value);
                if (matcher.find()) {
                    isXss = true;
                    break;
                }
            }
        }
        return isXss;
    }

    public static void main(String[] args) {
        String str = "這是正常字符";
        boolean result = XssUtil.checkIsXSS(str);
        System.out.println(str + " 是否包含XSS字符:" + result);

        String str2 = "這是xss字符\'\"<script>alert(111111)</script>";
        boolean result2 = XssUtil.checkIsXSS(str2);
        System.out.println(str2 + " 是否包含XSS字符:" + result2);
    }
}


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 常用Java字段的正則校驗 Java 正則校驗整數,且只能是非0開頭 java常用正則校驗工具類 RegExp正則校驗之Java及R測試 xss漏洞校驗 身份證號正則校驗(js校驗+JAVA校驗) java正則校驗,密碼必須由字母和數字組成 Java 正則校驗整數,且小數點只能是2位 密碼校驗正則表達式(java 環境) java密碼驗證正則表達式校驗
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM