/**
|
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
*
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
* you may not use this file except in compliance with the License.
|
* You may obtain a copy of the License at
|
*
|
* http://www.apache.org/licenses/LICENSE-2.0
|
*
|
* Unless required by applicable law or agreed to in writing, software
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
* See the License for the specific language governing permissions and
|
* limitations under the License.
|
*/
|
package com.stylefeng.guns.core.support;
|
|
import java.util.regex.Pattern;
|
|
/**
|
* Web防火墙工具类
|
* <p>
|
* @author hubin
|
* @Date 2014-5-8
|
*/
|
public class WafKit {
|
|
/**
|
* @Description 过滤XSS脚本内容
|
* @param value
|
* 待处理内容
|
* @return
|
*/
|
public static String stripXSS(String value) {
|
String rlt = null;
|
|
if (null != value) {
|
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
|
// avoid encoded attacks.
|
// value = ESAPI.encoder().canonicalize(value);
|
|
// Avoid null characters
|
rlt = value.replaceAll("", "");
|
|
// Avoid anything between script tags
|
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
|
// Avoid anything in a src='...' type of expression
|
/*scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE
|
| Pattern.MULTILINE | Pattern.DOTALL);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
|
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE
|
| Pattern.MULTILINE | Pattern.DOTALL);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");*/
|
|
// Remove any lonesome </script> tag
|
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
|
// Remove any lonesome <script ...> tag
|
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE
|
| Pattern.MULTILINE | Pattern.DOTALL);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
|
// Avoid eval(...) expressions
|
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE
|
| Pattern.MULTILINE | Pattern.DOTALL);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
|
// Avoid expression(...) expressions
|
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE
|
| Pattern.MULTILINE | Pattern.DOTALL);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
|
// Avoid javascript:... expressions
|
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
|
// Avoid vbscript:... expressions
|
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
|
// Avoid onload= expressions
|
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE
|
| Pattern.MULTILINE | Pattern.DOTALL);
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
}
|
|
return rlt;
|
}
|
|
/**
|
* @Description 过滤SQL注入内容
|
* @param value
|
* 待处理内容
|
* @return
|
*/
|
public static String stripSqlInjection(String value) {
|
return (null == value) ? null : value.replaceAll("('.+--)|(--)|(%7C)", ""); //value.replaceAll("('.+--)|(--)|(\\|)|(%7C)", "");
|
}
|
|
/**
|
* @Description 过滤SQL/XSS注入内容
|
* @param value
|
* 待处理内容
|
* @return
|
*/
|
public static String stripSqlXSS(String value) {
|
return stripXSS(stripSqlInjection(value));
|
}
|
|
}
|
