創建攔截器
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
public class XssFilter implements Filter {
List<String> prefixIignores = new ArrayList<>();
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("xss過濾器的初始化操作");
//對應web.xml中init-param標籤體內容,放行的請求
String ignoresParam = filterConfig.getInitParameter("ignores");
String[] ignoreArray = ignoresParam.split(",");
for (String s : ignoreArray) {
prefixIignores.add(s.trim());
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
if (canIgnore(req)){
chain.doFilter(request,response);
}else {
XssWarper xssWarper = new XssWarper(req);
//放行
chain.doFilter(xssWarper, response);
}
}
@Override
public void destroy() {
System.out.println("xss過濾器的銷燬");
}
private boolean canIgnore(HttpServletRequest request) {
String url = request.getRequestURI();
for (String ignore : prefixIignores) {
if (url.endsWith(ignore)) {
return true;
}
}
return false;
}
}
創建XssWarper
import cn.jiguang.common.utils.StringUtils; import org.springframework.web.util.HtmlUtils; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.IOException; import java.util.HashMap; import java.util.Map; public class XssWarper extends HttpServletRequestWrapper { private Map<String , String[]> params = new HashMap<String, String[]>(); // 用於存儲請求參數 private ServletInputStream servletInputStream = null; /** * @Method content 富文本內容 * @Author MC 不進行處理的params * @Return * @Date 2019/11/25 0025 9:55 */ private String noCheckParamsStr = "content"; private HttpServletRequest request; public XssWarper(HttpServletRequest request) { super(request); this.request = request; this.params.putAll(request.getParameterMap()); } /** * 重載一個構造方法 * @param request * @param extendParams */ public XssWarper(HttpServletRequest request , Map<String , String[]> extendParams) throws IOException { this(request); for (String key: extendParams.keySet()) { String val = this.getParameter(key); if (StringUtils.isNotEmpty(val)){ extendParams.put(key,new String[]{val}); } } addAllParameters(extendParams); } @Override public String getParameter(String name) { if(noCheckParamsStr.indexOf(name) != -1){ return super.getParameter(name); } String val = request.getParameter(name); if(StringUtils.isNotEmpty(val)){ val = HtmlUtils.htmlEscape(val); // 將所有傳遞進來的String進行HTML編碼,防止XSS攻擊 } return val; } @Override public String[] getParameterValues(String name) { return params.get(name); } public void addAllParameters(Map<String , String[]> otherParams) { for(Map.Entry<String , String[]>entry : otherParams.entrySet()) { addParameter(entry.getKey() , entry.getValue()); } } public void addParameter(String name , Object value) { if(value != null) { if(value instanceof String[]) { params.put(name , (String[])value); }else if(value instanceof String) { params.put(name , new String[] {(String)value}); }else { params.put(name , new String[] {String.valueOf(value)}); } } } }
web.xml中註冊過濾器,請注意與其他過濾器的先後順序
<filter> <filter-name>xssFilter</filter-name> <filter-class>com.jeeplus.common.filter.XssFilter</filter-class> <init-param> <param-name>ignores</param-name> <param-value> /core/sysAppVersion/uploader, /app/fileUpload/upload </param-value> </init-param> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>