我在下面添加了一个适用于Jersey 2.x的过滤器。但是,它没有对cookies进行XSS修复,因为我还没有找到修改它们的方法。
需要注意的重要一点是,这需要与POJO属性上的@SafeHtml结合使用,以清理这些值。
@PreMatchingpublic class XSSFilter implements ContainerRequestFilter{ @Override public void filter( ContainerRequestContext request ) { cleanQueryParams( request ); cleanHeaders( request.getHeaders() ); } private void cleanQueryParams( ContainerRequestContext request ) { UriBuilder builder = request.getUriInfo().getRequestUriBuilder(); MultivaluedMap<String, String> queries = request.getUriInfo().getQueryParameters(); for( Map.Entry<String, List<String>> query : queries.entrySet() ) { String key = query.getKey(); List<String> values = query.getValue(); builder.replaceQueryParam( key ); for( String value : values ) { builder.replaceQueryParam( key, Utils.stripXSS( value ) ); } } request.setRequestUri( builder.build() ); } private void cleanHeaders( MultivaluedMap<String, String> headers ) { for( Map.Entry<String, List<String>> header : headers.entrySet() ) { String key = header.getKey(); List<String> values = header.getValue(); List<String> cleanValues = new ArrayList<String>(); for( String value : values ) { cleanValues.add( Utils.stripXSS( value ) ); } headers.put( key, cleanValues ); } }}stripXSS函数如下:
public static String stripXSS( String value ){ return stripXSS( value, Whitelist.none() );}public static String stripXSS( String value, Whitelist whitelist ){ if( StringUtils.isBlank( value ) ) return value; // Use the ESAPI library to avoid enpred attacks. value = ESAPI.enprer().canonicalize( value ); // Avoid null characters value = value.replaceAll("�", ""); // Clean out HTML document.OutputSettings outputSettings = new document.OutputSettings(); outputSettings.escapeMode( EscapeMode.xhtml ); outputSettings.prettyPrint( false ); value = Jsoup.clean( value, "", whitelist, outputSettings ); return value;}还更新了原始帖子:http : //prehustler.org/blog/jersey-cross-site-
scripting-xss-filter-for-java-web-apps/
