一、新建一个过滤器
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
MyXssHttpServletRequestWrapper req=new MyXssHttpServletRequestWrapper((HttpServletRequest)servletRequest);
filterChain.doFilter(req,servletResponse);
}
@Override
public void destroy() {
}
}
二、继承HttpServletRequestWrapper,重写方法getParameterMap,替换非法字符
package com.dawnpro.module.system.security.authentication.access;
import com.alibaba.fastjson.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.springframework.util.CollectionUtils;
import org.springframework.web.servlet.HandlerMapping;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.*;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class MyXssHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest= null;
//不期待被过滤的的链接和字段(管理后台使用了富文本,希望有可编辑的内容)
HashMap<String, String> doNotFilterURLAndParamMap = new HashMap<String, String>() {
{
put("/api/v2/group/manage", "description");
put("/api/v1/sendNews", "content");
}
};
boolean isUpData = false;//判断是否是上传 上传忽略
public MyXssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
String contentType = servletRequest.getContentType ();
orgRequest=servletRequest;