io.leopard.web.security.xss.XssCheckerEncodeImpl Maven / Gradle / Ivy

Show more of this group Show more artifacts with this name
Show all versions of web4j-nobug Show documentation

The newest version!

package io.leopard.web.security.xss;

public class XssCheckerEncodeImpl implements XssChecker {

	// 一、HTML转义
	// 1、10进制
	// 
	// <script>alert('ok');</script>
	//
	// 2、16进制
	// <script>alert('ok');</script>
	//
	// 二、JS转义
	// 1、unicode
	// \u003c\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u0061\u006c\u0065\u0072\u0074\u0028\u0027\u006f\u006b\u0027\u0029\u003b\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e
	//
	// 2、base16
	// \x3c\x73\x63\x72\x69\x70\x74\x3e\x61\x6c\x65\x72\x74\x28\x27\x6f\x6b\x27\x29\x3b\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e
	//
	// 三、URI编码
	// %3Cscript%3Ealert('ok')%3B%3C%2Fscript%3E

	@Override
	public boolean check(String value) {
		for (String encode : encodeList) {
			if (value.indexOf(encode) != -1) {
				return true;
			}
		}
		return false;
	}

	private static String[] encodeList = { "&#", "\\u" };//, "%"

}