流程:
1、导入依赖hutool(提供一些Utile工具类)
2、定义请求包装类继承HttpServletRequestWrapper对数据进行转义
3、创建过滤器,将请求拦截并使用自定义包装类覆盖原request
4、主类添加@ServletComponentScan扫描过滤器(@WebFilter)
1、
hutool提供一写工具类HtmlUtil、StrUtil
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.4.0</version>
</dependency>
2、MyXssHttpServletRequestWrapper
/**
* @description 对上传数据做转义处理防止跨站网络攻击
*/
public class MyXssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public MyXssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
String value=super.getParameter(name);;
if (!StrUtil.hasEmpty(value)){
value= HtmlUtil.filter(value);//将数据中的html标签去除
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] values=super.getParameterValues(name);
if (values!=null){
for (int i = 0; i < values.length; i++) {
String value=values[i];
if (!StrUtil.hasEmpty(value)){
value=HtmlUtil.filter(value);
}
values[i]=value;
}
}
return values;
}
@Override
public Map<String, String[]> getParameterMap() {
Map<String,String[]> parameters=super.getParameterMap();
LinkedHashMap<String,String[]> map=new LinkedHashMap<>(); //保证map有序
if (parameters!=null){
for (String key: parameters.keySet()) {
String[] values=parameters.get(key);
for (int i=0;i<values.length;i++){
String value=values[i];
if (StrUtil.hasEmpty(value)){
value=HtmlUtil.filter(value);
}
values[i]=value;
}
map.put(key,values);
}
}
return map;
}
@Override
public String getHeader(String name) {
String value=super.getHeader(name);
if (!StrUtil.hasEmpty(value)){
value= HtmlUtil.filter(value);//将数据中的html标签去除
}
return value;
}
@Override
public ServletInputStream getInputStream() throws IOException {
InputStream in=super.getInputStream();
InputStreamReader reader=new InputStreamReader(in, Charset.forName("UTF-8"));
BufferedReader buffer=new BufferedReader(reader);
String line=buffer.readLine();
StringBuffer body=new StringBuffer();//将字节流数据读到bufferReader里面
while(line!=null){
body.append(line);
line=buffer.readLine();
}
in.close();
reader.close();
buffer.close();
//使用hutool的工具类将body转换为map
Map<String,Object> map=JSONUtil.parseObj(body);
//对map中的value进行转义
Map<String,Object> temp=new LinkedHashMap<>();
for (String key:map.keySet()){
Object obj=map.get(key);
if (obj instanceof String){
if (!StrUtil.hasEmpty(obj.toString())){
obj=HtmlUtil.filter(obj.toString());
}
}
temp.put(key,obj);
}
//Map对象转换成json格式的字符串
String json=JSONUtil.toJsonPrettyStr(temp);
//创建IO流冲json中读数据
ByteArrayInputStream res=new ByteArrayInputStream(json.getBytes());
return new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() throws IOException {
return res.read();
}
};
}
}
3、XssFilter
/**
* @description 对请求数据进行拦截,将请求对象封装成wrapper对象
*
*/
@WebFilter(urlPatterns = "/*") //拦截所有对象
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request= (HttpServletRequest) servletRequest;
MyXssHttpServletRequestWrapper wrapper=new MyXssHttpServletRequestWrapper(request);
filterChain.doFilter(wrapper,servletResponse);
}
@Override
public void destroy() {
}
}