1.首先编写过滤器
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/**
* 过滤器
* */
public class XSSFilter implements Filter {
/**
* 重写父类方法
* */
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
/**
* 重写父类方法
* */
@Override
public void destroy() {
}
/**
* 重写父类方法
* */
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
/*
* //设置request字符编码 request.setCharacterEncoding("UTF-8");
* //设置response字符编码 response.setContentType("text/html;charset=UTF-8");
*/
chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request),
response);
}
}
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.regex.Pattern;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
/**
* 构造方法
* */
public XSSRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
/**
* 重写父类方法
* */
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return values;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i], parameter);
}
return encodedValues;
}
/**
* 重写父类方法
* */
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return stripXSS(value, parameter);
}
/**
* 重写父类方法
* */
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value, name);
}
/**
* 过滤参数
* @param value 参数值
* @param parameter 参数name名
* @return
*/
private String stripXSS(String value, String parameter) {
String valueNew = value;
if("keyWords".equals(parameter)){
System.out.println("==========================");
}
if (getNoCheckParameter(parameter) && valueNew != null) {
valueNew = valueNew.replaceAll("", "");
//将<script>进行置换
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>",
Pattern.CASE_INSENSITIVE);
valueNew = scriptPattern.matcher(valueNew).replaceAll("");
scriptPattern = Pattern.compile("[%<>\"]+");
valueNew = scriptPattern.matcher(valueNew).replaceAll("");
}
return valueNew;
}
/**
* 判断name是否应该拦截
* @param parameter 参数名
* @return 不拦截返回true,拦截返回false
*/
private boolean getNoCheckParameter(String parameter) {
String[] noFilterURLs = new String[] { "content","otherName"};
for (String parameters : noFilterURLs) {
if (parameter.equals(parameters)) {
return false;
}
}
return true;
}
}
2.web.xml中配置滤波器
<!-- 解决xss漏洞 -->
<filter>
<filter-name>xssFilter</filter-name>
<filter-class>com.util.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>xssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.spring注解形式
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.Filter;
@Component
public class XSSFilterRegistration {
/**
* 配置过滤器
* @return
*/
@Bean
@Order(Integer.MAX_VALUE)
public FilterRegistrationBean xssFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(XSSFilter());
registration.addUrlPatterns("/*");
//registration.setOrder(Integer.MAX_VALUE);//过滤器顺序,也可通过@Order注解配置
//registration.addInitParameter("paramName", "paramValue");
registration.setName("XSSFilter");
return registration;
}
/**
* 创建一个bean
* @return
*/
@Bean(name = "XSSFilter")
public Filter XSSFilter() {
return new XSSFilter();
}
}