我已在下面添加了一个适用于Jersey 2.x的筛选器。但是,它没有执行Cookie的XSS修复,因为我还没有找到修改这些的方法。
重要的是要注意,这需要结合使用@SafeHtml POJO属性来清理这些值。
@PreMatching
public class XSSFilter implements ContainerRequestFilter
{
/**
* @see ContainerRequestFilter#filter(ContainerRequest)
*/
@Override
public void filter(ContainerRequestContext request)
{
cleanQueryParams(request);
cleanHeaders(request.getHeaders());
}
/**
* Replace the existing query parameters with ones stripped of XSS vulnerabilities
* @param request
*/
private void cleanQueryParams(ContainerRequestContext request)
{
UriBuilder builder = request.getUriInfo().getRequestUriBuilder();
MultivaluedMap<String, String> queries = request.getUriInfo().getQueryParameters();
for(Map.Entry<String, List<String>> query : queries.entrySet())
{
String key = query.getKey();
List<String> values = query.getValue();
builder.replaceQueryParam(key);
for(String value : values) {
builder.replaceQueryParam(key, Utils.stripXSS(value));
}
}
request.setRequestUri(builder.build());
}
/**
* Replace the existing headers with ones stripped of XSS vulnerabilities
* @param headers
*/
private void cleanHeaders(MultivaluedMap<String, String> headers)
{
for(Map.Entry<String, List<String>> header : headers.entrySet())
{
String key = header.getKey();
List<String> values = header.getValue();
List<String> cleanValues = new ArrayList<String>();
for(String value : values) {
cleanValues.add(Utils.stripXSS(value));
}
headers.put(key, cleanValues);
}
}
}
的stripXSS职能如下:
/**
* Strips any potential XSS threats out of the value
*
* @param value
* @return
*/
public static String stripXSS(String value)
{
return stripXSS(value, Whitelist.none());
}
/**
* Strips any potential XSS threats out of the value excluding
* the white listed HTML
*
* @param value
* @param whitelist
* @return
*/
public static String stripXSS(String value, Whitelist whitelist)
{
if(StringUtils.isBlank(value))
return value;
// Use the ESAPI library to avoid encoded attacks.
value = ESAPI.encoder().canonicalize(value);
// Avoid null characters
value = value.replaceAll("\0", "");
// Clean out HTML
Document.OutputSettings outputSettings = new Document.OutputSettings();
outputSettings.escapeMode(EscapeMode.xhtml);
outputSettings.prettyPrint(false);
value = Jsoup.clean(value, "", whitelist, outputSettings);
return value;
}
还更新了原来的职位:http://codehustler.org/blog/jersey-cross-site-scripting-xss-filter-for-java-web-apps/