使用antisamy来过滤参数值,过滤到可疑的html及script标签,
过滤器XSSFilter源码如下;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XSSFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
}
@Override
public void destroy() {
}
}
import java.io.UnsupportedEncodingException;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
private static Policy antiSamyPolicy;
private static AntiSamy antiSamy;
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public Map<String, String[]> getParameterMap() {
Map<String, String[]> request_map = super.getParameterMap();
Iterator<Map.Entry<String, String[]>> iterator = request_map.entrySet().iterator();
System.out.println("request_map" + request_map.size());
while (iterator.hasNext()) {
Map.Entry<String, String[]> me = (Map.Entry<String, String[]>) iterator.next();
String[] values = (String[]) me.getValue();
for (int i = 0; i < values.length; i++) {
System.out.println(values[i]);
values[i] = stripXSS(values[i]);
System.out.println(values[i]);
}
}
return request_map;
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]);
}
return encodedValues;
}
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return stripXSS(value);
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value);
}
private String stripXSS(String value){
//System.setProperty("org.owasp.esapi.resources", "D:/workspaceZookeeperGui/RSSgj/src");
if (value != null) {
try {
if(antiSamyPolicy==null){
antiSamyPolicy = Policy.getInstance(XSSRequestWrapper.class.getClassLoader().getResourceAsStream("antisamy-slashdot-1.4.4.xml"));
antiSamy= new AntiSamy();
}
CleanResults test = antiSamy.scan(value, antiSamyPolicy);
List<String> errors = test.getErrorMessages();
if(errors.size()>0){
System.out.println(new String(errors.toString().getBytes("iso-8859-1"),"utf-8"));
value=test.getCleanHTML();
}
} catch (PolicyException | ScanException | UnsupportedEncodingException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
}
return value;
}
}
在web.xml里配置过滤器,添加如下:
<!-- XSS拦截 -->
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>com.cn.common.filter.XSSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
参考:http://www.2cto.com/article/201410/342040.html