1、Header Manipulation:过滤请求头中的参数
public static String getFilePath(String path){
String regex = "[`~!@#$%^&*()\+\=||{}|:"?><【】\/r\/n]";
Pattern pa = new Pattern.compile(regex);
Matcher ma = pa.matcher(path);
if(ma.find()){
path = ma.replaceAll("").trim();
}
path = path.replace("\","/");
path = pathj.replace("../","");
return path;
}
2、Cross-Site Scripting:
(1)Reflected:由于这个错误java和jsp中都有,附上公共java方法和公共js方法中的代码
java:
final static List<String> list = new ArrayList<~>();
static{
list.add("<");
list.add(">");
list.add("(");
list.add(")");
list.add("&");
list.add("?");
list.add(";");
}
public static String Filter(String output){
String encode = Normalizer.normalize(output,Normalizer.Form.NFKC);
for(int i=;i<list.size();i++){
encode = encode.replace(list.get(i),"");
}
return encode
}
js:
charFilter(str:String){
let charArray = ["<",">","(",")","&","?",";"];
let encode = str.normalize("NFKC");
for(let i=0;i<charArray.length;i++){
encode = encode.replace(charArray[i],"");
}
return encode;
}