最近需要写个xss过滤器,将访问网站的所有请求参数都进行xss过滤,过滤的api使用的是antisamy-1.4.4
java代码
public class XssFilter implements Filter {
private static final Logger log = LoggerFactory.getLogger(XssFilter.class);
public static final String POLICY_FILE_LOCATION = "antisamy-slashdot-1.4.4.xml";
private List<String> filterChainDefinitions;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
String path = ((HttpServletRequest) request).getContextPath();
String uri = ((HttpServletRequest) request).getRequestURI().replace(path, "");
Map m = request.getParameterMap();
if (matchUri(uri)) {
try {
m = this.clearRequestPra(request,new HashMap());
} catch (Exception e) {
log.info(e.toString());
}
}
ParameterRequestWrapper wrapRequest=new ParameterRequestWrapper(((HttpServletRequest) request),m);
chain.doFilter(wrapRequest, response);
}
private Map clearRequestPra(ServletRequest request,Map m)
{
Map params = request.getParameterMap();
Set<String> keys = params.keySet();
for (String key : keys) {
Object value = params.get(key);
if (value instanceof String[]) {
value = (String[])value;
String[] str = (String[])value;
int i =0;
for(String v:(String[])value)
{
v = this.scan(v);
str[i] = new String(v);
i++;
}
m.put(key,str);
}
else
{
m.put(key,value);
}
}
return m;
}
private String scan(String content)
{
String cleanHtml = "";
try{
Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(content, policy);
cleanHtml = cr.getCleanHTML();
}
catch(Exception e)
{
log.info(e.toString());
}
return cleanHtml;
}
private boolean matchUri(String uri)
{
for(String pattern:filterChainDefinitions)
{
if(Pattern.matches(pattern,uri))
{
return true;
}
}
return false;
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
public List<String> getFilterChainDefinitions() {
return filterChainDefinitions;
}
public void setFilterChainDefinitions(List<String> filterChainDefinitions) {
this.filterChainDefinitions = filterChainDefinitions;
}
}
application-context-security.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd" default-lazy-init="true"> <description>Security Config</description> <!-- Shiro Filter --> <bean id="xssFilter" class="com.shurrik.security.XssFilter"> <property name="filterChainDefinitions"> <list> <!-- <value>^/module.*</value> --> <value>^/.*</value> </list> </property> </bean> </beans>
web.xml
<!-- Xss filter--> <filter> <filter-name>xssFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>targetBeanName</param-name> <param-value>xssFilter</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> </filter-mapping>