Solution of JSP Struts Filtering xss Attack
- 2021-12-12 09:24:22
- OfStack
Solution of JSP Struts Filtering xss Attack
In this scheme, the interceptor of struts2 is used to filter, and the submitted parameters are transcoded to solve the problem.
Configuring struts. xml
<package name="default" namespace="/"
extends="struts-default, json-default">
<!-- Configure interceptor -->
<interceptors>
<!-- Definition xss Interceptor -->
<interceptor name="xssInterceptor" class="... Fill in the interceptor class name here "></interceptor>
<!-- Definition 1 Contains xss Interception stack of interception -->
<interceptor-stack name="myDefault">
<interceptor-ref name="xssInterceptor"></interceptor-ref>
<interceptor-ref name="defaultStack"></interceptor-ref>
</interceptor-stack>
</interceptors>
<!-- This must be configured, otherwise the interceptor will not take effect -->
<default-interceptor-ref name="myDefault"></default-interceptor-ref>
<action>
... Omitted here n A action
</action>
</package>
Java code, interceptor implementation class
import java.util.Map;
import org.apache.commons.lang3.StringEscapeUtils;
import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
public class XssInterceptor extends AbstractInterceptor{
@Override
public String intercept(ActionInvocation invocation) throws Exception {
// TODO Auto-generated method stub
ActionContext actionContext = invocation.getInvocationContext();
Map<String, Object> map = actionContext.getParameters();
for (Map.Entry<String, Object> entry : map.entrySet()) {
String value = ((String[])(entry.getValue()))[0];
entry.setValue(StringEscapeUtils.escapeHtml4(value));// Transcode the submitted string
//System.out.println((entry.getValue()));
}
return invocation.invoke();
}
}
Thank you for reading, hope to help everyone, thank you for your support to this site!