1.Struts.xml文件
<interceptors>
<!-- 拦截action请求 防xxs攻击 -->
<interceptor name="MyInterceptor" class="cn.openice.dms.servlet.filter.XssInterceptor"/>
<interceptor-stack name="crudStack">
<interceptor-ref name="MyInterceptor" />
<interceptor-ref name="defaultStack" /> <!-- 位置必须在下面 -->
</interceptor-stack>
</interceptors>
<!--默认拦截全局action-->
<default-interceptor-ref name="crudStack" />
2.XssInterceptor.java
package cn.openice.dms.servlet.filter;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.struts2.dispatcher.HttpParameters;
import org.apache.struts2.dispatcher.Parameter;
import org.owasp.esapi.ESAPI;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
public class XssInterceptor extends AbstractInterceptor {
@Override
public String intercept(ActionInvocation invocation) throws Exception {
ActionContext actionContext = invocation.getInvocationContext();
HttpParameters parameters = actionContext.getParameters();
for (Map.Entry<String,Parameter> entry : parameters.entrySet()) {
/* if (!entry.getValue().isMultiple() && entry.getValue().isDefined()){
System.out.println(StringEscapeUtils.escapeHtml4(entry.getValue().getValue()));
if (!entry.getValue().getValue().equals(StringEscapeUtils.escapeHtml4(entry.getValue().getValue()))){
entry.setValue(new Parameter.Request(entry.getValue().getName(),StringEscapeUtils.escapeHtml4(entry.getValue().getValue())));
}
}*/
String value=entry.getValue().getValue();
String newValue=cleanXSS(value);
entry.setValue(new Parameter.Request(entry.getValue().getName(),newValue));
// String entry1=cleanXSS(entry.getValue().toString());
}
return invocation.invoke();
}
private String cleanXSS(String value) {
if (value != null) {
// 推荐使用ESAPI库来避免脚本攻击,
value = ESAPI.encoder().canonicalize(value);
// 避免空字符串
value = value.replaceAll(" ", "");
// 避免script 标签
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免src形式的表达式
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\‘(.*?)\\\‘",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 删除单个的 </script> 标签
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 删除单个的<script ...> 标签
scriptPattern = Pattern.compile("<script(.*?)>",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 eval(...) 形式表达式
scriptPattern = Pattern.compile("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 e-xpression(...) 表达式
scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 javascript: 表达式
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 vbscript:表达式
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 onload= 表达式
scriptPattern = Pattern.compile("onload(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
}