我的要求是,我使用白名单正则表达式模式来避免xss和sql注入,因为我在字符串中允许的字符为([A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|(?<!-)-)*
简而言之,下面的测试用例应该成功运行
import java.util.regex.Pattern;
public class XSSAttackTest {
private static Pattern xssAttackPattern;
private static final String XSS_ATTACK_REGULAR_EXPRESSION1 = "([A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|(?<!-)-)*";
public static Pattern getXSSAttackPattern() {
xssAttackPattern = Pattern.compile(XSS_ATTACK_REGULAR_EXPRESSION1);
return xssAttackPattern;
}
public static boolean hasXSSAttackOrSQLInjection1(String value) {
if (getXSSAttackPattern().matcher(value).matches()) {
return true;
}
return false;
}
public static void main(String arg[]) {
System.out.println(" :::::: Regular Expression ::::::");
XSSAttackTest();
}
private static void XSSAttackTest() {
String jsonWithoutDobuleQuote = "{systemaddress:10:9A:DD:54:BA:3F,name:0541cb61fe0c37002f15df342df18a912689875f75159335d936e281f9098a78c598334cf59dc9bcf55dd4614097effd874194b47d19194b5e7d0aa3a61290a2b5e90323ef3967571499a820af8424f935b35c36ea34fd83b08fdf14c3b454c6962b36e9de4b1bc75e793832b59efb9648cb04f7153e0b3c1c648e64154d9b05,number:c097a8c8a481e0b50911d96b8d15ca326bcb47c1056cfae7552f23fa6ba179bf48c4b32aecd42e23c76b148e057ce0acdacba8fb7cf93619aca18b7dfcf931511b7b7889db2703ec9b48fe68c713205f5333ffc4abbce8489d32fe6a54c518d24a1774f864964379497276f38d7b8611d54c035339922efe9ea0b1b4266a1d64,zip:521bf5503247d51cf2a2997fc7e2fd7055cb62c352bb1bacbf4d8af0e45984ab8becb4ce4ef824b2740591574317a6548231b831f2b2b73421d25a2b979ce10cebe4b52f555793909cbfa09d9617d4fdba4632f896bd43113381dea8cbc66cc8bb5cffdbd3d45b73d9e6dfb56b998f5e44568e9e7a419c75998acd3d5898f048,ssn:98c07a39f46b6fcbcc331510cb698f2fc331590b4033ef51ff86649283e99396aa48769b563511978fce652f41be98d326a62033176f9a5bfccfd9270e69316ebe3f6152d280bc83782c31d17c4b5d34df7c3107601bb5bb19968056d921b435aa62fc0855c5c57f249eedc9bb581379def31354d5afab5180c8ab63ac7a743e,Provider:xyz,deviceModel:iPhone Simulator,id:1731368714731871}";
System.out.println("String::" + jsonWithoutDobuleQuote + "::Result::"
+ hasXSSAttackOrSQLInjection1(jsonWithoutDobuleQuote));
}
}
当我运行上面的代码抛出异常时,我在这里尝试检查代码中的给定字符串是否包含XSS倾向字符
Exception in thread "main" java.lang.StackOverflowError
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
答案 0 :(得分:1)
这是您不应该使用自己的安全机制的主要示例。您想使用OWASP项目来解决此类问题。
documentation
例如:
String safe = ESAPI.encoder().encodeForHTMLAttribute
( request.getParameter( "input" ) );
和消毒剂:
import org.owasp.html.Sanitizers;
import org.owasp.html.PolicyFactory;
PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS);
String cleanResults = sanitizer.sanitize("<p>Hello, <b>World!</b>");