
|
xss防御: 1、尽量少将域名的domain设为域名的根下面,减少分站xss漏洞对主站的影响;
; _2 R" V- j5 Q \3 K5 M2、对输入的数据进行过滤检查:# p* d Z# j1 ^! {7 V" k
public static String htmlSpecialChars(final String s) {( E9 Q! B/ v# W" T0 o
String result = s;
, y, x" {; f- C2 z* @+ N% Nresult = regexReplace("&", "&", result);
( f% r. z+ X: H7 Rresult = regexReplace(""", """, result);7 b" T0 q/ p4 N/ d
result = regexReplace("<", "<", result);4 ~1 N% Y, h; i3 ?; V
result = regexReplace(">", ">", result);7 |; V& r6 ^# U$ K5 O/ A
return result;
4 E% C; _ S7 H1 ^( f& w% S}
& Q E; s! d% ?/ Q( _" g$ p注意:CSS的行为方式也会有JavaScript的执行:
: `2 {3 m- _& f4 Z. R8 k, Y F
0 O7 V! r1 M& N% V3 X) c( u' b#content { height: expression_r(alert('test xss') ); }- `' N X2 s* j% Q
" n9 P- I+ _, A0 b! `
如果要支持html可以使用这个过滤器(附件,开源的)
# c4 c) p2 U# B& N8 n0 z例子4 ^: q! F w0 X" ]
{
4 B B5 k1 Y! n3 y# D- ]+ }+ bfinal ArrayList span_atts = new ArrayList();
, i8 y3 |# Q! W( x1 r1 V! @Map allowedAttrValues = new HashMap();5 w; p6 F* a/ U* r2 p! `0 K
allowedAttrValues.put(“color”, Pattern.compile(“(#([0-9a-fA-F]{6}|[0-9a-fA-F]{3}))”));0 N0 n5 q0 h" Z0 \% Z( x- n* \
allowedAttrValues.put(“font-weight”, Pattern.compile(“bold”));
9 a# |' I: Q1 H. j; WallowedAttrValues.put(“text-align”, Pattern.compile(“(center|right|justify)”));
; c6 r0 n1 c9 w, F& Y9 LallowedAttrValues.put(“font-style”, Pattern.compile(“italic”));! i) x7 A- L/ x1 C
allowedAttrValues.put(“text-decoration”, Pattern.compile(“underline”));4 y' X0 i/ o/ g8 q7 E/ W1 B
allowedAttrValues.put(“margin-left”, Pattern.compile(“[0-9]+px”));2 k, s1 [- p' W6 J7 o7 R5 T
allowedAttrValues.put(“text-align”, Pattern.compile(“center”));
$ ^! g, q( B" M, |7 r8 m: F) lspan_atts.add(new Attribute(“style”, allowedAttrValues));# z* f; \) H* N% k+ |/ D7 ~
vAllowed.put(“span”, span_atts);
# K' H# i7 A9 d+ U, ~}1 f, s: S) }' {: Y5 T
{
0 o/ U3 }0 C2 n% z0 N, D$ O2 Yfinal ArrayList div_atts = new ArrayList();
; h7 i* l0 n4 i/ Z7 q4 xdiv_atts.add(new Attribute(“class”));
6 N2 j" N8 k, X, z- w; v$ f1 w0 gdiv_atts.add(new Attribute(“align”));! L1 T: W5 M7 ^( l
vAllowed.put(“div”, div_atts);' o0 o' X5 }8 L. P3 a0 @3 F
}, ^9 Y6 x0 [) ]) H# N3 j) O
* 2. 调用类似这样的函数String outHtml = HetaoBlogXssHTMLFilter.filter(sourceHtmlString);
) ?" |; Q" ]3 e. ^' j+ F3、针对图片的上传需要检测是否是正确的图片格式是否是伪格式,图片服务器尽量不开启程序(java,php,.net)功能或对图片格式不做程序解析;
8 J U% L$ J$ v防御CSRF:
2 M+ V. u& p* \; W! m在Web应用程序侧防御CSRF漏洞,一般都是利用referer判断输入端的url来源、或使用token或者使用JavaScript看不见的验证码;* f; p1 j( {9 q# ^, \% b
|
|