配置 web.xml
<filter> <filter-name>xssFilter</filter-name> <filter-class>com.wj.apps.base.filter.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
XssFilter类创建
import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import java.io.IOException; public class XssFilter implements Filter { private static final Log log = LogFactory.getLog(XssFilter.class); @Override public void init(FilterConfig filterConfig) throws ServletException { // 初始化过滤器,如果有需要的话 log.info("XssFilter Begin"); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { log.info("XssFilter doFilter Start"); HttpServletRequest httpRequest = (HttpServletRequest) request; // 创建一个包装了原始请求的HttpServletRequestWrapper // 这里可以添加XSS过滤逻辑 HttpServletRequest wrappedRequest = new XssHttpServletRequestWrapper(httpRequest); // 继续过滤链 chain.doFilter(wrappedRequest, response); log.info("XssFilter doFilter End"); } @Override public void destroy() { // 销毁过滤器,如果有需要的话 log.info("XssFilter Destroyed"); } }
实现方法
XssHttpServletRequestWrapper类创建
import cn.hutool.http.HTMLFilter; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringUtils; import org.apache.http.HttpHeaders; import org.springframework.http.MediaType; import javax.servlet.ReadListener; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.ByteArrayInputStream; import java.io.IOException; import java.util.LinkedHashMap; import java.util.Map; public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest; public HttpServletRequest getOrgRequest() { return orgRequest; } //html过滤 private final static HTMLFilter htmlFilter = new HTMLFilter(); public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); orgRequest = request; } @Override public ServletInputStream getInputStream() throws IOException { //非json类型,直接返回 if (!MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(super.getHeader(HttpHeaders.CONTENT_TYPE))) { return super.getInputStream(); } String json = IOUtils.toString(super.getInputStream(), "utf-8"); //为空,直接返回 if (StringUtils.isBlank(json)) { return super.getInputStream(); } //xss过滤 json = xssFilter(json); final ByteArrayInputStream bis = new ByteArrayInputStream(json.getBytes("utf-8")); return new ServletInputStream() { @Override public boolean isFinished() { return true; } @Override public boolean isReady() { return true; } @Override public void setReadListener(ReadListener readListener) { } @Override public int read() throws IOException { return bis.read(); } }; } @Override public String getParameter(String name) { String value = super.getParameter(xssFilter(name)); if (StringUtils.isNotBlank(value)) { value = xssFilter(value); } return value; } /** * 对数组参数进行特殊字符过滤 * @param name * @return */ @Override public String[] getParameterValues(String name) { String[] parameters = super.getParameterValues(name); if (parameters == null || parameters.length == 0) { return null; } for (int i = 0; i < parameters.length; i++) { parameters[i] = xssFilter(parameters[i]); } return parameters; } @Override public Map<String, String[]> getParameterMap() { Map<String, String[]> map = new LinkedHashMap<>(); Map<String, String[]> parameters = super.getParameterMap(); for (String key : parameters.keySet()) { String[] values = parameters.get(key); for (int i = 0; i < values.length; i++) { values[i] = xssFilter(values[i]); } map.put(key, values); } return map; } @Override public String getHeader(String name) { String value = super.getHeader(xssFilter(name)); if (StringUtils.isNotBlank(value)) { value = xssFilter(value); } return value; } private String xssFilter(String input) { return htmlFilter.filter(input); } /** * 获取原始request */ public static HttpServletRequest getOrgRequest(HttpServletRequest request) { if (request instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) request).getOrgRequest(); } return request; } }
用到的包
javax.servlet-api-3.1.0.jar
hutool-http-4.6.17.jar