20190118 xjh 使用第一种方法亲测有效
方法一:
1.添加XssFilter
@Configuration public class XssFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest)servletRequest; filterChain.doFilter(new XssHttpServletRequestWrapper(request),servletResponse); } @Override public void destroy() { } }
2.添加XssHttpServletRequestWrapper.java类
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } @Override public String getHeader(String name) { return StringEscapeUtils.escapeHtml4(super.getHeader(name)); } @Override public String getQueryString() { return StringEscapeUtils.escapeHtml4(super.getQueryString()); } @Override public String getParameter(String name) { return StringEscapeUtils.escapeHtml4(super.getParameter(name)); } @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if(values != null) { int length = values.length; String[] escapseValues = new String[length]; for(int i = 0; i < length; i++){ escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]); } return escapseValues; } return super.getParameterValues(name); } }
自此,即能实现,
假如在网站的文本框输入<script>alert("OK");</script>,
提交到数据库后保存的数据为:&lt;script&gt;alert(&quot;OK&quot;);&lt;/script&gt;
方法二:
1.添加XssFilter ,(同上)
2..添加XssHttpServletRequestWrapper.java类
XssHttpServletRequestWrapper
两种方法,原理一致只是写法不一样,
第二种写法保存到数据库为:scriptalert("OK");/script