最近被安保测评搞得头疼,本来网站上有XSS处理,代码也是参考网络,结果发现不好使。此处呵呵了。。。。 一般情况下百度出来的结果都是不好用的例子,虽然代码还挺全面,就是拦不住你说气人不气人。
下面发一个经过我实际应用好使的XSS过滤器,帮大家节省时间
/**
* 安全的Filter(过滤SQL和XSS)
*
*
* <!-- 解决xss & sql漏洞 -->
<filter>
<filter-name>SafeFilter</filter-name>
<filter-class>cn.he.xss.HttpServletRequestSafeFilter</filter-class>
<init-param>
<param-name>filterXSS</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>filterSQL</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SafeFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
*
*/
public class HttpServletRequestSafeFilter implements Filter{
public static final String FILTER_XSS = "filterXSS";
public static final String FILTER_SQL = "filterSQL";
FilterConfig filterConfig = null;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
@Override
public void destroy() {
this.filterConfig = null;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
boolean filterXSS = false;
boolean filterSQL = false;
if (StringUtils.isNotEmpty(filterConfig.getInitParameter(FILTER_XSS))) {
filterXSS = Boolean.valueOf(filterConfig.getInitParameter(FILTER_XSS));
}
if (StringUtils.isNotEmpty(filterConfig.getInitParameter(FILTER_SQL))) {
filterSQL = Boolean.valueOf(filterConfig.getInitParameter(FILTER_SQL));
}
chain.doFilter(new HttpServletRequestSafeWrapper((HttpServletRequest) request, filterXSS, filterSQL), response);
}
}
<