Página inicial Explorar Ajuda
Registrar Entrar
sugb
/
dzhh-backend
1
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Tree: fbc4312a8c
Branches Tags
dzhh-backend
/
.svn
/
pristine
/
2c
/
2cbf87feb5a0e5c4bfd7ac19fdbaeed9cd4c2cef.svn-base

2cbf87feb5a0e5c4bfd7ac19fdbaeed9cd4c2cef.svn-base 2.5 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344 
  1. package org.jeecg.modules.system.util;
    2. 

  2. 

  3. import org.springframework.web.util.HtmlUtils;
    4. 

  4. 

  5. import java.util.regex.Pattern;
    6. 

  6. 

  7. /**
    8. 

  8.  * @Description: 工具类XSSUtils,现在的做法是替换成空字符,CSDN的是进行转义,比如文字开头的"<"转成&lt;
    9. 

  9.  * @author: lsq
    10. 

  10.  * @date: 2021年07月26日 19:13
    11. 

  11.  */
    12. 

  12. public class XSSUtils {
    13. 

  13.     public static String striptXSS(String value) {
    14. 

  14.         if (value != null) {
    15. 

  15.             value = value.replaceAll(" ", "");
    16. 

  16.             Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
    17. 

  17.             value = scriptPattern.matcher(value).replaceAll("");
    18. 

  18.             scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    19. 

  19.             value = scriptPattern.matcher(value).replaceAll("");
    20. 

  20.             scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    21. 

  21.             value = scriptPattern.matcher(value).replaceAll("");
    22. 

  22.             scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
    23. 

  23.             value = scriptPattern.matcher(value).replaceAll("");
    24. 

  24.             scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    25. 

  25.             value = scriptPattern.matcher(value).replaceAll("");
    26. 

  26.             scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    27. 

  27.             value = scriptPattern.matcher(value).replaceAll("");
    28. 

  28.             scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    29. 

  29.             value = scriptPattern.matcher(value).replaceAll("");
    30. 

  30.             scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
    31. 

  31.             value = scriptPattern.matcher(value).replaceAll("");
    32. 

  32.             scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
    33. 

  33.             value = scriptPattern.matcher(value).replaceAll("");
    34. 

  34.             scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    35. 

  35.             value = scriptPattern.matcher(value).replaceAll("");
    36. 

  36.         }
    37. 

  37.         return HtmlUtils.htmlEscape(value);
    38. 

  38.     }
    39. 

  39. 

  40.     public static void main(String[] args) {
    41. 

  41.         String s = striptXSS("<img  src=x onload=alert(111).*?><script></script>javascript:eval()\\\\.");
    42. 

  42.         System.err.println("s======>" + s);
    43. 

  43.     }
    44. 

  44. }
    45.