applicationContext.xml
配置切面,扫描Service下所有的类
<!-- 切面 -->
<bean id="dataIllegal" class="com.golden.msale.framework.aop.DataIllegalAop" />
<!-- 配置AOP -->
<aop:config>
<!-- 定义全局的pointcut,所有的代理过滤条件都参照此pointcut -->
<aop:pointcut expression="execution(* com.golden.msale.service..*.*(..))" id="daoPointcut"/>
<!-- 把标准Bean与AOP-aspect做关联,标准Bean就成为具有aspect(切面织入)功能的Bean -->
<aop:aspect id="dataSourceAspect" ref="dataIllegal">
<aop:around method="doAround" pointcut-ref="daoPointcut"/>
</aop:aspect>
</aop:config>
要执行的方法
public class DataIllegalAop {
@SuppressWarnings("unchecked")
public Object doAround(ProceedingJoinPoint joinPoint){
if(joinPoint.getArgs()[0] instanceof String){
joinPoint.getArgs()[0] = clearXss(joinPoint.getArgs()[0].toString());
}else{
Map<String,Object> param = (Map<String,Object>)joinPoint.getArgs()[0];
Iterator<Entry<String, Object>> it = param.entrySet().iterator();
while(it.hasNext()){
Entry<String, Object> itEntry = it.next();
String paramValue =itEntry.getValue().toString();
if(paramValue.indexOf("select") > -1
||paramValue.indexOf("delete") > -1
||paramValue.indexOf("update") > -1
||paramValue.indexOf("insert") > -1
||paramValue.indexOf("drop") > -1
||paramValue.indexOf("exec") > -1){
return -3;
}
itEntry.setValue(clearXss(paramValue));//修改值
}
}
try {
Object obj = joinPoint.proceed();//调用执行目标方法
return obj;
} catch (Throwable throwable) {
throwable.printStackTrace();
}
return -3;
}
// 清除路径中的转义字符
private String clearXss(String value) {
if (value == null || "".equals(value)) {
return value;
}
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replace("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
value = value.replace("script", "");
return value;
}