Solution of JSP Struts Filtering xss Attack

  • 2021-12-12 09:24:22
  • OfStack

Solution of JSP Struts Filtering xss Attack

In this scheme, the interceptor of struts2 is used to filter, and the submitted parameters are transcoded to solve the problem.

Configuring struts. xml


<package name="default" namespace="/"
    extends="struts-default, json-default">
    <!--  Configure interceptor  -->
    <interceptors>
      <!--  Definition xss Interceptor  -->
      <interceptor name="xssInterceptor" class="... Fill in the interceptor class name here "></interceptor>
      <!--  Definition 1 Contains xss Interception stack of interception  -->
      <interceptor-stack name="myDefault">
        <interceptor-ref name="xssInterceptor"></interceptor-ref>
        <interceptor-ref name="defaultStack"></interceptor-ref>
      </interceptor-stack>
    </interceptors>
    <!--  This must be configured, otherwise the interceptor will not take effect  -->
    <default-interceptor-ref name="myDefault"></default-interceptor-ref>
    <action>
    ... Omitted here n A action
    </action>
  </package>

Java code, interceptor implementation class


import java.util.Map;

import org.apache.commons.lang3.StringEscapeUtils;

import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;

public class XssInterceptor extends AbstractInterceptor{

  @Override
  public String intercept(ActionInvocation invocation) throws Exception {
    // TODO Auto-generated method stub
    ActionContext actionContext = invocation.getInvocationContext();
    Map<String, Object> map = actionContext.getParameters();
    for (Map.Entry<String, Object> entry : map.entrySet()) {
      String value = ((String[])(entry.getValue()))[0];
      entry.setValue(StringEscapeUtils.escapeHtml4(value));// Transcode the submitted string 
      //System.out.println((entry.getValue()));
    }
    return invocation.invoke();
  }
}

Thank you for reading, hope to help everyone, thank you for your support to this site!


Related articles: