防御之前
![在这里插入图片描述](https://i-blog.csdnimg.cn/blog_migrate/7016e141070b15382c3ee59a3ea715a8.png)
防御之后
![在这里插入图片描述](https://i-blog.csdnimg.cn/blog_migrate/515f335066d28c9610200e05608723c7.png)
如何防御?
代码实现
//重写getParameter方法, 对特殊字符进行转义
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest httpServletRequest;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.httpServletRequest = request;
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (!StringUtils.isEmpty(value)) {
return StringEscapeUtils.escapeHtml(value);
}
return value;
}
}
//使用过滤器统一处理
@WebFilter(urlPatterns = "/*")
public class XssFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper((HttpServletRequest) servletRequest);
filterChain.doFilter(xssHttpServletRequestWrapper, servletResponse);
}
}