開發時間 2016-03-02日
項目地點:深圳
開發人員 yekang
在web.xml中配置過濾器
<!-- <filter>
<filter-name>XSSFilter</filter-name>
<filter-class> com.palic.elis.ceis.common.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> -->
創建類
package com.palic.elis.ceis.common.filter;
import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter {
// XSS處理Map
private static Map<String, String> xssMap = new LinkedHashMap<String, String>();
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// TODO Auto-generated method stub
// 強制類型轉換 HttpServletRequest
HttpServletRequest httpReq = (HttpServletRequest) request;
// 構造HttpRequestWrapper對象處理XSS
HttpRequestWrapper httpReqWarp = new HttpRequestWrapper(httpReq, xssMap);
//
chain.doFilter(httpReqWarp, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// 含有腳本: script
xssMap.put("[s|S][c|C][r|R][i|I][p|P][t|T]", "");
// 含有腳本 javascript
xssMap.put(
"[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']",
"\"\"");
// 含有函數: eval
xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", "");
// 含有符號 <
xssMap.put("<", "<");
// 含有符號 >
xssMap.put(">", ">");
// 含有符號 (
xssMap.put("\\(", "(");
System.out.println("1111111111111");
// 含有符號 )
xssMap.put("\\)", ")");
// 含有符號 '
xssMap.put("'", "'");
// 含有符號 "
xssMap.put("\"", "\"");
System.out.println("22222222222222");
}
}
創建類
package com.palic.elis.ceis.common.filter;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class HttpRequestWrapper extends HttpServletRequestWrapper {
private Map<String, String> xssMap;
public HttpRequestWrapper(HttpServletRequest Request) {
super(Request);
}
public HttpRequestWrapper(HttpServletRequest request,
Map<String, String> xssMap) {
super(request);
this.xssMap = xssMap;
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null||values.length == 0) {
return null;
}
// 遍歷每一個參數,檢查是否含有
for (int i = 0; i < values.length; i++) {
values[i] = cleanXSS(values[i]);
}
return values;
}
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
return cleanXSS(value);
}
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null)
return null;
return cleanXSS(value);
}
private String cleanXSS(String value) {
Set<String> keySet = xssMap.keySet();
for (String key : keySet) {
String v = xssMap.get(key);
value = value.replaceAll(key, v);
}
return value;
}
}