如果用户在提交数据栏中键入html标签<></>,需要进行过滤处理,其实就是把请求参数中的角括号替换为替代字符。
package cn.yh.servlet;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* 通过继承HttpServletRequestWrapper实现了一个请求封装器,可以将请求参数中的角括号替换为替代字符。
* @author YH
*
*/
public class CharacterRequestWrapper extends HttpServletRequestWrapper {
//key为原字符,value为替代字符
private Map<String,String> escapeMap;
public CharacterRequestWrapper(HttpServletRequest request,Map<String,String> escapeMap) {
super(request);
this.escapeMap = escapeMap;
}
@Override
public String getParameter(String name){
return doEscape(this.getRequest().getParameter(name));
}
private String doEscape(String parameter){
if(parameter==null){
return null;
}
String result = parameter;
Iterator<String> iterator = escapeMap.keySet().iterator();
while(iterator.hasNext()){
String origin = iterator.next();
String escape = escapeMap.get(origin);
result = result.replaceAll(origin, escape);
}
return result;
}
}
实现过滤器,替代字符保存在文件中,文件路径通过Filter初始化参数进行配置,在FilterConfig中获取。
package cn.yh.filter;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import cn.yh.servlet.CharacterRequestWrapper;
public class CharacterFilter implements Filter {
private Map<String ,String> escapeMap;
public void destroy() {
// TODO Auto-generated method stub
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest requestWapper =
new CharacterRequestWrapper((HttpServletRequest) request, escapeMap);
chain.doFilter(requestWapper, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
BufferedReader reader = null;
String escapeListFile = filterConfig.getInitParameter("ESCAPE_LIST");
reader = new BufferedReader(
new InputStreamReader(
filterConfig.getServletContext().getResourceAsStream(escapeListFile)));
String input = null;
escapeMap = new HashMap<String, String>();
try {
while((input = reader.readLine())!=null){
String[] tokens = input.split("\t");
escapeMap.put(tokens[0], tokens[1]);
}
} catch (IOException e) {
Logger.getLogger(CharacterFilter.class.getName()).log(Level.SEVERE,null,e);
e.printStackTrace();
}finally{
try{
reader.close();
}catch(Exception e){
Logger.getLogger(CharacterFilter.class.getName()).log(Level.SEVERE,null,e);
}
}
}
}
web.xml中配置过滤器
<filter>
<filter-name>CharacterFilter</filter-name>
<filter-class>cn.yh.filter.CharacterFilter</filter-class>
<init-param>
<param-name>ESCAPE_LIST</param-name>
<param-value>/WEB-INF/escapelist.txt</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CharacterFilter</filter-name>
<url-pattern>*.do</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
escapelist.txt 每行分隔使用的是\t (tab)
< <
> >