com.frameworkset.common.filter.CharsetEncodingFilter
CharsetEncodingFilter是不具备防止跨站攻击功能的,但是为其增加两个init-param参数后就可以了:
wallfilterrules 指定黑名单单词表,以逗号分隔多个单词,只要在参数值中出现其中的一个单词,参数值就会被置为null(即参数被过滤掉)
wallwhilelist 指定不会被黑名单检测的参数的名称清单,多个参数以逗号分隔,白名单中的参数安全性需要应用程序自己控制,对值中出现的非法字符需要进行相应的处理后再输出到客服端(比如,针对浏览器的转义处理等措施)
<filter>
<filter-name>CharsetEncoding</filter-name>
<filter-class>com.frameworkset.common.filter.CharsetEncodingFilter</filter-class>
<init-param>
<param-name>RequestEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>ResponseEncoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>checkiemodeldialog</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>wallfilterrules</param-name>
<param-value><![CDATA[><,%3E%3C,<iframe,%3Ciframe,<script,%3Cscript,<img,%3Cimg,alert(,alert%28,eval(,eval%28,style=,style%3D]]>
</param-value>
</init-param>
<init-param>
<param-name>wallwhilelist</param-name>
<param-value><![CDATA[content,fileContent]]>
</param-value>
</init-param>
</filter>