1.前台处理(容易绕过):
<script type="text/javascript"> $(document).ready(function(){ var url=window.location.href; window.location.href=HTMLEnCode(url); }); function HTMLEnCode(str) { var s = ""; if (str.length == 0) return ""; s = str.replace(/&/g, ">"); s = s.replace(/</g, ""); s = s.replace(/>/g, ""); s = s.replace(/ /g, ""); s = s.replace(/"/g, ""); s = s.replace(/'/g, ""); s = s.replace(/ /g, ""); s = s.replace(///g, ""); s = s.replace(/(/g, ""); s = s.replace(/)/g, ""); s = s.replace(/=/g, ""); return s; } }); </script>
2.后台处理:
/** * 危险字符过滤方法 * @param str * @return * @throws Exception */ public static String dangerousCharacterFilter(String str) { //一种解决SQL盲注的后台过虑,其方式就是将可能出现的非法字符进行规制 //java代码替换特殊字符 //str="^&h\/!@#$%^&*()+|/jgfj&%fgd''$#$@!)(}|"; if(str!=null){ str = str.replaceAll("(\|)", ""); str = str.replaceAll("(\&)", ""); str = str.replaceAll("(\;)", ""); str = str.replaceAll("(\$)", ""); str = str.replaceAll("(\%)", ""); str = str.replaceAll("(\@)", ""); str = str.replaceAll("(\')", ""); str = str.replaceAll("(\")", ""); str = str.replaceAll("(\>)", ""); str = str.replaceAll("(\<)", ""); str = str.replaceAll("(\))", ""); str = str.replaceAll("(\()", ""); str = str.replaceAll("(\+)", ""); //str = str.replaceAll("(\CR)", ""); //回车符 ASCII 0x0d //str = str.replaceAll("(\LF)", ""); //换行 ASCII 0x0a str = str.replaceAll("(\,)", ""); str = str.replaceAll("(\\)", ""); str = str.replaceAll("(\#|$)", ""); } return str; }
3.添加过滤器(暂时没做)