XssFilter 创建与配置

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/csdn565973850/article/details/88553653

增加XssFilter过滤器

创建XssFilter

package com.dongao.filter;

import com.alibaba.druid.util.DruidWebUtils;
import com.alibaba.druid.util.PatternMatcher;
import com.alibaba.druid.util.ServletPathMatcher;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;

public class XssFilter implements Filter {

	private String initParameter;
	private Set<String> initParameters;
	protected PatternMatcher pathMatcher = new ServletPathMatcher();
	private String contextPath;

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
		//初始化加载需要排除,无需过滤的后缀
		initParameter = filterConfig.getInitParameter("exclude");
		if (initParameter != null && initParameter.trim().length() != 0) {
			initParameters = new HashSet<String>(Arrays.asList(initParameter.split("\\s*,\\s*")));
		}

		contextPath = DruidWebUtils.getContextPath(context);
	}

	@Override
	public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {

		HttpServletRequest httpRequest = (HttpServletRequest) request;
		String requestURI = httpRequest.getRequestURI();
		if (isExclusion(requestURI)) { // 无需过滤
			chain.doFilter(request, response);
			return;
		}else { // 需过滤
			chain.doFilter(new XssHttpServletRequestWrapper(httpRequest), response);
		}

	}
	@Override
	public void destroy() {

	}

	public boolean isExclusion(String requestURI) {
		if (initParameters == null) {
			return false;
		}

		if (contextPath != null && requestURI.startsWith(contextPath)) {
			requestURI = requestURI.substring(contextPath.length());
			if (!requestURI.startsWith("/")) {
				requestURI = "/" + requestURI;
			}
		}

		for (String pattern : initParameters) {
			if (pathMatcher.matches(pattern, requestURI)) {
				return true;
			}
		}

		return false;
	}

}


创建XssHttpServletRequestWrapper

package com.dongao.filter;

import org.apache.commons.lang3.StringEscapeUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.regex.Pattern;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    /**
     * Xss请求适配器
     * @param request
     */
	public XssHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
	}

    /**
     *对请求头部过滤
     * @param name
     * @return
     */
    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (value == null) {
            return null;
        }
        return StringEscapeUtils.escapeHtml4(value);
    }

    /**
     *对参数过滤
     * @param name
     * @return
     */
    @Override
    public String getParameter(String name) {
        String value = super.getParameter(name);
        if (value == null) {
            return null;
        }
        return StringEscapeUtils.escapeHtml4(value);
   }

    /**
     *对数组参数过滤
     * @param name
     * @return
     */
    @Override
    public String[] getParameterValues(String name) {
        String[] values = super.getParameterValues(name);
        if(values != null) {
            int length = values.length;   
            String[] escapseValues = new String[length];
            for(int i = 0; i < length; i++){
                escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);
            }
            return escapseValues;
        }
        return super.getParameterValues(name);
    }

}

在web.xml增加过滤器

	<filter>
		<filter-name>XssEscape</filter-name>
		<filter-class>com.dongao.filter.XssFilter</filter-class>
		<!--无需过滤的后缀-->
		<init-param>
			<param-name>exclude</param-name>
			<param-value>*.js,*.gif,*.jpg,*.png,*.css,*.ico</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>XssEscape</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
	</filter-mapping>
展开阅读全文

没有更多推荐了,返回首页