开发时间 2016-03-02日

项目地点：深圳

开发人员 yekang

 

在web.xml中配置过滤器

 <!--  <filter>

  <filter-name>XSSFilter</filter-name>

  <filter-class> com.palic.elis.ceis.common.filter.XssFilter</filter-class>

 </filter>

 <filter-mapping>

  <filter-name>XSSFilter</filter-name> 

  <url-pattern>/*</url-pattern>

 </filter-mapping>   -->

 

创建类

package com.palic.elis.ceis.common.filter;

import java.io.IOException;

import java.util.LinkedHashMap;import java.util.Map;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;

public class XssFilter implements Filter {

 // XSS处理Map private static Map<String, String> xssMap = new LinkedHashMap<String, String>();

 @Override

 public void destroy() {  }

 @Override

 public void doFilter(ServletRequest request, ServletResponse response,   FilterChain chain) throws IOException, ServletException {   // TODO Auto-generated method stub  // 强制类型转换 HttpServletRequest  HttpServletRequest httpReq = (HttpServletRequest) request;  // 构造HttpRequestWrapper对象处理XSS  HttpRequestWrapper httpReqWarp = new HttpRequestWrapper(httpReq, xssMap);  //  chain.doFilter(httpReqWarp, response); }

 @Override

 public void init(FilterConfig filterConfig) throws ServletException {   // 含有脚本： script  xssMap.put("[s|S][c|C][r|R][i|I][p|P][t|T]", "");  // 含有脚本 javascript  xssMap.put(    "[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']",    "\"\"");  // 含有函数： eval  xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", "");  // 含有符号 <  xssMap.put("<", "&lt;");  // 含有符号 >  xssMap.put(">", "&gt;");  // 含有符号 (  xssMap.put("\\(", "(");  System.out.println("1111111111111");  // 含有符号 )  xssMap.put("\\)", ")");  // 含有符号 '  xssMap.put("'", "'");  // 含有符号 "  xssMap.put("\"", "\"");  System.out.println("22222222222222"); }}

 

创建类

 

 

package com.palic.elis.ceis.common.filter;

import java.util.Map;

import java.util.Set;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;

public class HttpRequestWrapper extends HttpServletRequestWrapper {

 private Map<String, String> xssMap;

 

 public HttpRequestWrapper(HttpServletRequest Request) {   super(Request); }

 public HttpRequestWrapper(HttpServletRequest request,

   Map<String, String> xssMap) {   super(request);  this.xssMap = xssMap; }

 @Override

 public String[] getParameterValues(String parameter) {     String[] values = super.getParameterValues(parameter);  if (values == null||values.length == 0) {    return null;  }  // 遍历每一个参数，检查是否含有    for (int i = 0; i < values.length; i++) {    values[i] = cleanXSS(values[i]);  }  return values; } public String getParameter(String parameter) {    String value = super.getParameter(parameter);  if (value == null) {    return null;  }  return cleanXSS(value);

 }

 public String getHeader(String name) {

    String value = super.getHeader(name);  if (value == null)   return null;  return cleanXSS(value); }

 private String cleanXSS(String value) {

    Set<String> keySet = xssMap.keySet();  for (String key : keySet) {    String v = xssMap.get(key);   value = value.replaceAll(key, v);  }  return value; }

}