Filter攔截【Request】處理特殊字元、跨站指令碼
阿新 • • 發佈:2018-12-20
處理類:繼承 HttpServletRequestWrapper
package ***; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssHttpServletRequest extends HttpServletRequestWrapper{ public XssHttpServletRequest(HttpServletRequest request) { super(request); } @Override public String getParameter(String name) { if((name.equals("userName")) || (name.equals("passWord")) || (name.contains("saltvalue"))){ return super.getParameter(name); }else{ return cleanXSS(super.getParameter(name)); } } @Override public String[] getParameterValues(String name) { if((name.equals("userName")) || (name.equals("passWord")) || (name.contains("saltvalue"))){ return super.getParameterValues(name); }else{ String[] values = super.getParameterValues(name); if(values != null) { int length = values.length; String[] escapseValues = new String[length]; for(int i = 0; i < length; i++){ escapseValues[i] = cleanXSS(values[i]); } return escapseValues; } return super.getParameterValues(name); } } /** * 清除XSS程式碼攻擊 * @param value(清除XSS程式碼前) * @return value(清除XSS程式碼後) */ private String cleanXSS(String value) { if(value==null){ return value; } /* value = value.replaceAll("<", ""); value = value.replaceAll(">", ""); value = value.replaceAll("\\(", ""); value = value.replaceAll("\\)", "");*/ value = value.replaceAll("&", ""); value = value.replaceAll("$", ""); /* value = value.replaceAll("\"", ""); value = value.replaceAll("\'", ""); value = value.replaceAll("\\+", "");*/ value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"<a>\\\'][\\s]*javascript:(.*)[\\\"\\\'</a>]", "\"\""); value = value.replaceAll("javascript", ""); value = value.replaceAll("script", ""); value = value.replaceAll("alert", ""); return value; } }
攔截器:實現Filter
package ***; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.apache.log4j.Logger; import com.chinaums.dc.common.util.XssHttpServletRequest; public class XSSFilter implements Filter{ public static final Logger logger = Logger.getLogger(XSSFilter.class); @SuppressWarnings("xxx") private FilterConfig filterConfig; @Override public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String encoding = request.getCharacterEncoding(); if(encoding==null){ request.setCharacterEncoding("UTF-8"); } HttpServletRequest hreq=(HttpServletRequest) request; chain.doFilter(new XssHttpServletRequest(hreq), response); } @Override public void destroy() { } }
配置檔案:
<filter> <filter-name>xssfilter</filter-name> <filter-class>com.chinaums.dc.common.filter.XSSFilter</filter-class> </filter> <filter-mapping> <filter-name>xssfilter</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping>