HttpServletRequestWrapper 實現xss注入
阿新 • • 發佈:2018-12-14
自定義一個wapper 實現 HttpServletRequestWrapper
package cn.baozun.crm.task.filter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * * <p>xss過濾</p> * @author dexter.qin * @version $Id: XssHttpServletRequestWrapper.java, v 0.1 2014-2-27 下午2:28:30 qinde Exp $ */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); orgRequest = request; } /** * 覆蓋getParameter方法,將引數名和引數值都做xss過濾。<br/> * 如果需要獲得原始的值,則通過super.getParameterValues(name)來獲取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆蓋 */ @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 覆蓋getHeader方法,將引數名和引數值都做xss過濾。<br/> * 如果需要獲得原始的值,則通過super.getHeaders(name)來獲取<br/> * getHeaderNames 也可能需要覆蓋 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } /** * 將容易引起xss漏洞的半形字元直接替換成全形字元 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || "".equals(s)) { return s; } StringBuilder sb = new StringBuilder(s.length() + 16); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); switch (c) { case '>': sb.append('>');//全形大於號 break; case '<': sb.append('<');//全形小於號 break; case '\'': sb.append('‘');//全形單引號 break; case '\"': sb.append('“');//全形雙引號 break; case '&': sb.append('&');//全形 break; case '\\': sb.append('\');//全形斜線 break; case '#': sb.append('#');//全形井號 break; default: sb.append(c); break; } } return sb.toString(); } /** * 獲取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 獲取最原始的request的靜態方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) req).getOrgRequest(); } return req; } public static void main(String[] args) { System.out.println(XssHttpServletRequestWrapper.xssEncode("<script>alert(1)</script>")); } }
自定義過濾器
package cn.baozun.crm.task.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; /** * * <p>攔截防止sql注入、xss注入 </p> * @author dexter.qin * @version $Id: XssFilter.java, v 0.1 2014-2-27 下午2:29:14 qinde Exp $ */ public class XssFilter implements Filter { /* (non-Javadoc) * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( (HttpServletRequest) request); filterChain.doFilter(xssRequest, response); } @Override public void destroy() { } @Override public void init(FilterConfig arg0) throws ServletException { } }