0

我写了一个Filter下面是代码。

public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain)
            throws IOException, ServletException {

HttpServletRequest srequest = (HttpServletRequest) request;
HttpServletResponse sresponse = (HttpServletResponse) response;

String url = srequest.getRequestURI();
if(url.contains("//What patterns to be checked here?"))
{
 //Invalidate the Session
 //Redirect to error page
}

正在阅读形成的 URL 并希望避免XSS攻击。因此,我想检查 URL 中是否存在任何可能表明它可能导致XSS攻击的模式。

我可以在这里查看所有模式的综合列表吗?例如,

url.contains("<script>");
4

1 回答 1

7

哇,不要。有很多资料可以向您解释原因:

  • 黑名单几乎总是一件坏事
  • 您不应该在输入上检查 XSS,但是,无论其来源如何,都应转义输出

如果您想了解有关防止 XSS 的更多信息,请转到Owasp xss 备忘单

On the other site if you want to add some limited scripting/editing functionality to your web site, you could and should use substitution (like in stackoverflow you don't write <\b> you use ** which is later transformed to appropriate html tags). Or you can use whitelisting, only and only allow text and some of the tags, but it can be tricky and you would have to be very careful.

于 2012-12-24T08:02:52.523 回答