Skip to content

T
traffic-front
Switch branch/tag
Find file
Normal viewHistoryPermalink
XSSUtil.java 3.27 KB
Newer Older
frank.xa.zhang's avatar
code from didi
03ad94ce
 
frank.xa.zhang committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 
package pwc.taxtech.atms.common;

import org.apache.commons.lang3.StringUtils;

import java.util.regex.Pattern;

public class XSSUtil{
    public static String cleanXSS(String value) {
        if(StringUtils.isBlank(value)){
            return value;
        }
        else{
            if (value != null) {
                if (value != null) {
                    // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
                    // avoid encoded attacks.
                    // value = ESAPI.encoder().canonicalize(value);
                    // Avoid null characters
                    value = value.replaceAll("", "");
                    // Avoid anything between script tags
                    Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
                    value = scriptPattern.matcher(value).replaceAll("");
                    // Avoid anything in a src="http://www.yihaomen.com/article/java/..." type of e­xpression
                    // 会误伤百度富文本编辑器
//                    scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
//                    value = scriptPattern.matcher(value).replaceAll("");
//                    scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
//                    value = scriptPattern.matcher(value).replaceAll("");
                    // Remove any lonesome </script> tag
                    scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
                    value = scriptPattern.matcher(value).replaceAll("");
                    // Remove any lonesome <script ...> tag
                    scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                    value = scriptPattern.matcher(value).replaceAll("");
                    // Avoid eval(...) e­xpressions
                    scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                    value = scriptPattern.matcher(value).replaceAll("");
                    // Avoid e­xpression(...) e­xpressions
                    scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                    value = scriptPattern.matcher(value).replaceAll("");
                    // Avoid javascript:... e­xpressions
                    scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
                    value = scriptPattern.matcher(value).replaceAll("");
                    // Avoid vbscript:... e­xpressions
                    scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
                    value = scriptPattern.matcher(value).replaceAll("");
                    // Avoid onload= e­xpressions
                    scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
                    value = scriptPattern.matcher(value).replaceAll("");
                }
            }
            return value;
        }
    }
}