import java.io.IOException;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class ParkingXssFilter implements Filter {
FilterConfig filterConfig = null;
public final String MOBILE_REG = "/pms/mobile/\\w{1,}.action";
public final String ALIPAY_REG = "/pms/fuwuchuang/\\w{1,}.action";
public final String WEIXIN_REG = "/pms/weixin/\\w{1,}.action";
public final String REMOTE_REG = "/pms/parkRemoteService/\\w{1,}.action";
private final Pattern PATTERN_MOBILE = Pattern.compile(MOBILE_REG);
private final Pattern PATTERN_ALIPAY = Pattern.compile(ALIPAY_REG);
private final Pattern PATTERN_WEIXIN = Pattern.compile(WEIXIN_REG);
private final Pattern PATTERN_REMOTE = Pattern.compile(REMOTE_REG);
/**
* Default constructor.
*/
public ParkingXssFilter() {
}
/**
* @see Filter#destroy()
*/
public void destroy() {
this.filterConfig = null;
}
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String requestUrl = ((HttpServletRequest) request).getRequestURI();
//某些特殊接口跳转不需要被跨脚本工具处理
if(PATTERN_MOBILE.matcher(requestUrl).matches()
|| PATTERN_ALIPAY.matcher(requestUrl).matches()
|| PATTERN_WEIXIN.matcher(requestUrl).matches()
|| PATTERN_REMOTE.matcher(requestUrl).matches()){
chain.doFilter(request, response);
}else{
chain.doFilter(new ParkingXssHttpServletRequestWrapper((HttpServletRequest) request), response);
}
}
/**
* @see Filter#init(FilterConfig)
*/
public void init(FilterConfig fConfig) throws ServletException {
this.filterConfig = fConfig;
}
}
///
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class ParkingXssHttpServletRequestWrapper extends
HttpServletRequestWrapper{
public ParkingXssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
return cleanXSS(value);
}
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null){
return null;
}
return cleanXSS(value);
}
private String cleanXSS(String value) {
// You'll need to remove the spaces from the html entities below
/*try {
value = URLDecoder.decode(value, "UTF-8");
} catch (UnsupportedEncodingException e) {
PmsLogRecord.logException(e);
}*/
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replaceAll("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
// Avoid null characters
value = value.replaceAll("", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src='...' type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
return value;//StringEscapeUtils.escapeHtml4(value);
}
}
Servlet Filter 技术防止XSS攻击的过滤器例子
最新推荐文章于 2024-07-11 17:44:10 发布