依赖Jar包,
<dependency><groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
package com.utils;
import org.apache.taglibs.standard.tag.common.core.Util;
/**
* Created by wangxk on 2016/9/8.
*/
public class EscapeXssUtil {
public static String escapeXml(String buffer) {
if(buffer == null && "".equals(buffer.trim())){
return "";
}
int start = 0;
int length = buffer.length();
char[] arrayBuffer = buffer.toCharArray();
StringBuffer escapedBuffer = null;
for (int i = 0; i < length; i++) {
char c = arrayBuffer[i];
if (c <= Util.HIGHEST_SPECIAL) {
char[] escaped = Util.specialCharactersRepresentation[c];
if (escaped != null) {
if (start == 0) { // create StringBuffer to hold escaped xml string
escapedBuffer = new StringBuffer(length + 5);
}
// add unescaped portion 作用是将不过滤的字符原顺序写入到buffer中
if (start < i) {
escapedBuffer.append(arrayBuffer,start,i-start);
}
start = i + 1;
// add escaped xml
escapedBuffer.append(escaped);
}
}
}
// no xml escaping was necessary
if (start == 0) {
return buffer;
}
// add rest of unescaped portion
if (start < length) {
escapedBuffer.append(arrayBuffer,start,length-start);
}
return escapedBuffer.toString();
}
public static void main(String[] args){
String text = "<alert>'\"\"";
text = "中国人<?>'\"'\"";
String s = escapeXml(text);
System.out.println(s);
}
}
在commons-lang-2.6.jar中有对各种xss过滤的方法:
import org.apache.commons.lang.StringEscapeUtils;
public static String escapeXss(String escapeStr) {
String s = "";
if (escapeStr != null) {
s = StringEscapeUtils.escapeHtml(escapeStr);
s = StringEscapeUtils.escapeSql(escapeStr);
s = StringEscapeUtils.escapeJavaScript(escapeStr);
} else {
s = escapeStr;
}
return s;
}