Java正则校验XSS
作者:互联网
package com.landray.kmss.kms.common.util;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* @author 唐有炜
*/
public class XssUtil {
private static Pattern[] patterns = new Pattern[]{
// Script fragments
Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
// src='...'
Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// lonely script tags
Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// eval(...)
Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// expression(...)
Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// javascript:...
Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
// vbscript:...
Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
// onl oad(...)=...
Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
//现场安全测试增加校验
Pattern.compile("alert(.*?)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("<", Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile(">", Pattern.MULTILINE | Pattern.DOTALL),
// Pattern.Pattern("(document|onload|eval|script|img|svg|onerror|javascript|alert)\\\\b")
Pattern.compile("((alert|on\\w+|function\\s+\\w+)\\s*\\(\\s*(['+\\d\\w](,?\\s*['+\\d\\w]*)*)*\\s*\\))"),
//Checks any html tags i.e. <script, <embed, <object etc.
Pattern.compile("|(<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))")
};
/*xss校验函数,返回值:true 表示存在xss漏洞,false:不存在*/
public static String stripXSS(String value) {
if (value != null) {
// TODO ESAPI library
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("\0", "");
// Remove all sections that match a pattern
for (Pattern scriptPattern : patterns) {
value = scriptPattern.matcher(value).replaceAll("");
}
}
return value;
}
public static boolean checkIsXSS(String value) {
boolean isXss = false;
if (value != null) {
for (Pattern scriptPattern : patterns) {
Matcher matcher = scriptPattern.matcher(value);
if (matcher.find()) {
isXss = true;
break;
}
}
}
return isXss;
}
}
标签:CASE,XSS,Java,DOTALL,Pattern,校验,compile,MULTILINE,INSENSITIVE 来源: https://www.cnblogs.com/tangyouwei/p/13573221.html