一般來說,系統進行表單數據處理時都需要解決類似XSS攻擊以及轉義這樣的問題,這樣的問題具有普遍性,不可能在每個提交表單數據的處理中都加入重複的處理代碼。通常通過 Filter 或 Interceptor 來攔截處理。
這裏介紹下通過 Filter 進行XSS過濾的方法。
流程:使用Filter攔截請求,將普通請求轉化爲包裝過的可以處理XSS的自定義請求,之後獲取參數時都會經過XSS處理。
主要實現類:
XssFilter
public class XssFilter implements Filter {
private static final String[] EXCLUDE_URIS = new String[] {
"/archivefiles/ajaxsimpleupload"// 上傳全文
, "/archivefiles/ajaxuploadannex"// 上傳附件
, "/importfilelist"// 導入文件
, "/export"// 導出文件
};
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
String reqURI = UrlUtils.getReqURI(req);
// 默認是需要進行XSS過濾的,當請求爲排除的URI時,替換爲原來的request
ServletRequest newRequest = new XsslHttpServletRequestWrapper((HttpServletRequest) request);
for (String excludeUri : EXCLUDE_URIS) {
if (reqURI.contains(excludeUri)) {
newRequest = request;
break;
}
}
chain.doFilter(newRequest, response);
}
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void destroy() {
}
}
XssHttpServletRequestWrapper
/**
* xss 通過重寫參數獲取方法實現.
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest xssRequest = null;
public XsslHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
xssRequest = request;
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (value != null) {
value = xssReplace(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values != null && values.length > 0) {
for (int i = 0; i < values.length; i++) {
values[i] = xssReplace(values[i]);
}
}
return values;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (value != null) {
value = xssReplace(value);
}
return value;
}
private String xssReplace(String value) {
String reslut = "";
if (JacksonUtils.isJsonObjectOrJsonArray(value)) {
reslut = XssUtils.transferJson(value);
} else {
// 對參數值進行過濾.
reslut = XssUtils.xssReplace(value);
}
return reslut;
}
}