• Home
• com.github.kaizen4j
• stark-common
• 1.2.1.RELEASE
• source code
• XssUtils.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.github.kaizen4j.util.XssUtils Maven / Gradle / Ivy

package com.github.kaizen4j.util;

import java.util.regex.Pattern;
import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;

/**
 * @author liuguowen
 */
public final class XssUtils {

    private static final String AVOID = "\0";

    private static final Pattern[] patterns = new Pattern[]{
            // Script fragments
            Pattern.compile("", Pattern.CASE_INSENSITIVE),

            // src='...'
            Pattern.compile("src[\r\n]*=[\r\n]*(.*?)",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),

            // lonely script tags
            Pattern.compile("", Pattern.CASE_INSENSITIVE),
            Pattern.compile("",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),

            // eval(...)
            Pattern.compile("eval\\((.*?)\\)",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),

            // expression(...)
            Pattern.compile("expression\\((.*?)\\)",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),

            // javascript:...
            Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),

            // vbscript:...
            Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),

            // onload=...
            Pattern.compile("onload(.*?)=",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)};

    private XssUtils() {
    }

    /**
     * 过滤 XSS 攻击内容，默认策略使用 Jsoup 的 Whitelist。
     *
     * @param content 字符串
     * @return 过滤后的内容
     */
    public static String strip(String content) {
        if (StringUtils.isBlank(content)) {
            return content;
        }
        String value = content.replace(AVOID, StringUtils.EMPTY);
        return Jsoup.clean(value, Whitelist.basic());
    }

    /**
     * 过滤 XSS 攻击内容，使用正则过滤。
     *
     * @param content 字符串
     * @return 过滤后的内容
     */
    public static String stripRegex(String content) {
        if (StringUtils.isBlank(content)) {
            return content;
        }

        String value = content.replace(AVOID, StringUtils.EMPTY);
        for (Pattern scriptPattern : patterns) {
            value = scriptPattern.matcher(value).replaceAll(StringUtils.EMPTY);
        }
        return value;
    }

}