富文本编辑器过滤XSS攻击_富文本编辑器防止xss攻击

考虑到富文本编辑器可以直接在源代码里面写js代码，所以本文通过java过滤器，和字符串替换来做简单的防止。

一、后台添加过滤器

<!-- 防止CSS跨站脚本攻击: 本参数仅对各标签库生效如spring taglib/jstl/freemarker等 -->
<context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
</context-param>
<filter>
    <filter-name>XssSqlFilter</filter-name>
    <filter-class>org.cdc.web.xss.XssFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>XssSqlFilter</filter-name>
    <url-patten>/*</url-patten>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<!-- 防止CSS跨站脚本攻击 -->

二、替换特殊字符

private String cleanXSS(String value){
    // You'll need to remove the spaces from the html entities below
    value = value .replaceAll("<","& lt;").replaceAll(">","& gt;");
    value = value.replaceAll("\\(","& #40;").replaceAll("\\)","& #41;");
    value = value.replaceAll("'","& #39;");
    value = value.replaceAll("eval\\((.*)\\)","");
    value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']","\"\"");
    value = value.replaceAll("script","");
    value = value.trim();
    return value;
}