java防止xss指令碼注入攻擊,採用spring工具類方式
阿新 • • 發佈:2019-01-25
XSSRequestWrapper.java
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.apache.commons.lang.StringEscapeUtils; public class XSSRequestWrapper extends HttpServletRequestWrapper { public XSSRequestWrapper(HttpServletRequest request) { super(request); } /** * 處理引數值 */ @Override public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = dealString(values[i]); } return encodedValues; } @Override public String getParameter(String parameter) { String value = super.getParameter(parameter); return dealString(value); } @Override public String getHeader(String name) { String value = super.getHeader(name); return dealString(value); } private String dealString(String value) { if (value != null) { // 採用spring的StringEscapeUtils工具類 實現 StringEscapeUtils.escapeHtml(value); StringEscapeUtils.escapeJavaScript(value); StringEscapeUtils.escapeSql(value); } return value; } }
XSSFilter.java
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; /** * 防止xss攻擊 過濾器(順便過濾了 sql攻擊) */ public class XSSFilter implements Filter { @Override public void init(FilterConfig arg0) throws ServletException { } @Override public void destroy() { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response); } }