創建攔截器
import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import java.io.IOException; import java.util.ArrayList; import java.util.List; public class XssFilter implements Filter { List<String> prefixIignores = new ArrayList<>(); @Override public void init(FilterConfig filterConfig) throws ServletException { System.out.println("xss過濾器的初始化操作"); //對應web.xml中init-param標籤體內容,放行的請求 String ignoresParam = filterConfig.getInitParameter("ignores"); String[] ignoreArray = ignoresParam.split(","); for (String s : ignoreArray) { prefixIignores.add(s.trim()); } } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; if (canIgnore(req)){ chain.doFilter(request,response); }else { XssWarper xssWarper = new XssWarper(req); //放行 chain.doFilter(xssWarper, response); } } @Override public void destroy() { System.out.println("xss過濾器的銷燬"); } private boolean canIgnore(HttpServletRequest request) { String url = request.getRequestURI(); for (String ignore : prefixIignores) { if (url.endsWith(ignore)) { return true; } } return false; } }
創建XssWarper
import cn.jiguang.common.utils.StringUtils; import org.springframework.web.util.HtmlUtils; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.IOException; import java.util.HashMap; import java.util.Map; public class XssWarper extends HttpServletRequestWrapper { private Map<String , String[]> params = new HashMap<String, String[]>(); // 用於存儲請求參數 private ServletInputStream servletInputStream = null; /** * @Method content 富文本內容 * @Author MC 不進行處理的params * @Return * @Date 2019/11/25 0025 9:55 */ private String noCheckParamsStr = "content"; private HttpServletRequest request; public XssWarper(HttpServletRequest request) { super(request); this.request = request; this.params.putAll(request.getParameterMap()); } /** * 重載一個構造方法 * @param request * @param extendParams */ public XssWarper(HttpServletRequest request , Map<String , String[]> extendParams) throws IOException { this(request); for (String key: extendParams.keySet()) { String val = this.getParameter(key); if (StringUtils.isNotEmpty(val)){ extendParams.put(key,new String[]{val}); } } addAllParameters(extendParams); } @Override public String getParameter(String name) { if(noCheckParamsStr.indexOf(name) != -1){ return super.getParameter(name); } String val = request.getParameter(name); if(StringUtils.isNotEmpty(val)){ val = HtmlUtils.htmlEscape(val); // 將所有傳遞進來的String進行HTML編碼,防止XSS攻擊 } return val; } @Override public String[] getParameterValues(String name) { return params.get(name); } public void addAllParameters(Map<String , String[]> otherParams) { for(Map.Entry<String , String[]>entry : otherParams.entrySet()) { addParameter(entry.getKey() , entry.getValue()); } } public void addParameter(String name , Object value) { if(value != null) { if(value instanceof String[]) { params.put(name , (String[])value); }else if(value instanceof String) { params.put(name , new String[] {(String)value}); }else { params.put(name , new String[] {String.valueOf(value)}); } } } }
web.xml中註冊過濾器,請注意與其他過濾器的先後順序
<filter> <filter-name>xssFilter</filter-name> <filter-class>com.jeeplus.common.filter.XssFilter</filter-class> <init-param> <param-name>ignores</param-name> <param-value> /core/sysAppVersion/uploader, /app/fileUpload/upload </param-value> </init-param> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>