1. 程式人生 > >Filter攔截【Request】處理特殊字元、跨站指令碼

Filter攔截【Request】處理特殊字元、跨站指令碼

處理類:繼承 HttpServletRequestWrapper

package ***;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public class XssHttpServletRequest extends HttpServletRequestWrapper{

	public XssHttpServletRequest(HttpServletRequest request) {
		super(request);
	}
	
	 @Override  
     public String getParameter(String name) {  
		if((name.equals("userName")) || (name.equals("passWord")) || (name.contains("saltvalue"))){
	    	return super.getParameter(name);
    	}else{
    		return cleanXSS(super.getParameter(name));  
    	}
     }  
  
     @Override  
     public String[] getParameterValues(String name) {  
    	if((name.equals("userName")) || (name.equals("passWord")) || (name.contains("saltvalue"))){
    		return super.getParameterValues(name);
    	}else{
    		String[] values = super.getParameterValues(name);  
    		if(values != null) {  
    			int length = values.length;  
    			String[] escapseValues = new String[length];  
    			for(int i = 0; i < length; i++){  
    				escapseValues[i] = cleanXSS(values[i]);  
    			}  
    			return escapseValues;  
    		}  
    		return super.getParameterValues(name);  
    	}
     }
     
     /**
 	 * 清除XSS程式碼攻擊
 	 * @param value(清除XSS程式碼前)
 	 * @return value(清除XSS程式碼後)
 	 */
 	private String cleanXSS(String value)  
     {  
 		if(value==null){
 			return value;
 		}
        /* value = value.replaceAll("<", "");
         value = value.replaceAll(">", "");
         value = value.replaceAll("\\(", "");
         value = value.replaceAll("\\)", "");*/
         value = value.replaceAll("&", "");
         value = value.replaceAll("$", "");
        /* value = value.replaceAll("\"", "");
         value = value.replaceAll("\'", "");
         value = value.replaceAll("\\+", "");*/
         value = value.replaceAll("eval\\((.*)\\)", "");
         value = value.replaceAll("[\\\"<a>\\\'][\\s]*javascript:(.*)[\\\"\\\'</a>]", "\"\"");
         value = value.replaceAll("javascript", "");
         value = value.replaceAll("script", "");
         value = value.replaceAll("alert", "");
         return value;  
     }
}

攔截器:實現Filter

package ***;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
import com.chinaums.dc.common.util.XssHttpServletRequest;

public class XSSFilter implements Filter{
	
	public static final Logger logger = Logger.getLogger(XSSFilter.class);
	
	@SuppressWarnings("xxx")
	private FilterConfig filterConfig;

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
		this.filterConfig = filterConfig;
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		String encoding = request.getCharacterEncoding();  
		if(encoding==null){
			request.setCharacterEncoding("UTF-8");
		}
		HttpServletRequest hreq=(HttpServletRequest) request;
        chain.doFilter(new XssHttpServletRequest(hreq), response);  
	}

	@Override
	public void destroy() {
		
	}
}

配置檔案:

  <filter>
    <filter-name>xssfilter</filter-name>
    <filter-class>com.chinaums.dc.common.filter.XSSFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>xssfilter</filter-name>
    <url-pattern>*.do</url-pattern>
  </filter-mapping>