1. 编写过滤器filter
import java.io.IOException;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter
{
/**
* 配置
*/
FilterConfig filterConfig = null;
/**
* 例外URL
*/
private List<String> urlExclusion = null;
/**
* 初始化配置
* @param filterConfig 配置
* @throws ServletException Servlet异常
*/
public void init(FilterConfig filterConfig) throws ServletException
{
this.filterConfig = filterConfig;
}
/**
* 使配置失效
* @see javax.servlet.Filter#destroy()
*/
public void destroy()
{
this.filterConfig = null;
}
/**
* filter 过滤逻辑
* @param request 请求
* @param response 请求
* @param chain chain
* @throws IOException IO异常
* @throws ServletException Servlet异常
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException
{
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
String servletPath = httpServletRequest.getServletPath();
if (urlExclusion != null && urlExclusion.contains(servletPath))
{
chain.doFilter(request, response);
}
else
{
chain.doFilter(
new XssHttpServletRequestWrapper(
(HttpServletRequest) request),
response);
}
}
public List<String> getUrlExclusion()
{
return urlExclusion;
}
public void setUrlExclusion(List<String> urlExclusion)
{
this.urlExclusion = urlExclusion;
}
}
2. 自定义ServletRequest
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
{
/**
* 初始化
* @param servletRequest 请求
*/
public XssHttpServletRequestWrapper(HttpServletRequest servletRequest)
{
super(servletRequest);
}
/**
* 获取请求里面的参数
* @param parameter 请求名
* @return String[]
*/
@Override
public String[] getParameterValues(String parameter)
{
String[] values = super.getParameterValues(parameter);
if (values == null)
{
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++)
{
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
/**
* 得到参数值
* @param parameter 参数名称
* @return String
*/
@Override
public String getParameter(String parameter)
{
String value = super.getParameter(parameter);
if (value == null)
{
return null;
}
return cleanXSS(value);
}
/**
* 得到请求头的值
* @param name 参数名称
* @return String
*/
@Override
public String getHeader(String name)
{
String value = super.getHeader(name);
if (value == null)
return null;
return cleanXSS(value);
}
@Override
@SuppressWarnings("unchecked")
public Map<String, String[]> getParameterMap()
{
//因getParameterMap()返回的Map对象是不能修改的,需要初始化一个新的Map接收
Map<String, String[]> paramMap = new HashMap<String, String[]>(
super.getParameterMap());
for (Iterator iterator = paramMap.entrySet().iterator(); iterator
.hasNext();)
{
Map.Entry<String, String[]> entry = (Map.Entry<String, String[]>) iterator
.next();
String[] values = entry.getValue();
for (int i = 0; i < values.length; i++)
{
if (values[i] instanceof String)
{
values[i] = cleanXSS(values[i]);
}
}
entry.setValue(values);
}
return paramMap;
}
/**
* 替换特殊字符
* @param value 值
* @return String
*/
private String cleanXSS(String value)
{
//You'll need to remove the spaces from the html entities below
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
value = value.replaceAll("script", "");
return value;
}
}
3. 配置拦截规则
/**
* xssFilter注册
* @return FilterRegistrationBean
*/
@Bean
public FilterRegistrationBean xssFilterRegistration()
{
XssFilter xssFilter = new XssFilter();
//配置例外
xssFilter.setUrlExclusion(
Arrays.asList("/notice/update", "/notice/add"));
FilterRegistrationBean registration = new FilterRegistrationBean(
xssFilter);
registration.addUrlPatterns("/*");
return registration;
}