import java.io.InputStream;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringEscapeUtils;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;
public class XssRequestWrapper extends HttpServletRequestWrapper {
public XssRequestWrapper(HttpServletRequest request) {
super(request);
}
private static Policy policy = null;
static {
// String path =
// URLUtility.getClassPath(XssRequestWrapper.class)+File.separator+"antisamy-anythinggoes-1.4.4.xml";
// String path
// =XssRequestWrapper.class.getClassLoader().getResource("antisamy-config.xml").getFile();
// System.out.println("policy_filepath:"+path);
InputStream is = XssRequestWrapper.class.getClassLoader()
.getResourceAsStream("antisamy-config.xml");
// if(path.startsWith("file")){
// path = path.substring(6);
// }
try {
policy = Policy.getInstance(is);
} catch (PolicyException e) {
e.printStackTrace();
}
}
@SuppressWarnings({ "rawtypes", "unchecked" })
public Map<String,String[]> getParameterMap(){
Map<String,String[]> request_map = super.getParameterMap();
Iterator iterator = request_map.entrySet().iterator();
while(iterator.hasNext()){
Map.Entry me = (Map.Entry)iterator.next();
//System.out.println(me.getKey()+":");
String[] values = (String[])me.getValue();
for(int i = 0 ; i < values.length ; i++){
// System.out.println(values[i]);
values[i] = xssClean(values[i]);
}
}
return request_map;
}
@SuppressWarnings({ "rawtypes", "unchecked" })
public String getParameter(String name) {
String v = super.getParameter(name);
if (v == null)
return null;
return xssClean(v);
}
@SuppressWarnings({ "rawtypes", "unchecked" })
public String[] getParameterValues(String name) {
String[] v = super.getParameterValues(name);
if (v == null || v.length == 0)
return v;
for (int i = 0; i < v.length; i++) {
v[i] = xssClean(v[i]);
}
return v;
}
private String xssClean(String value) {
AntiSamy antiSamy = new AntiSamy();
try {
// CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath);
final CleanResults cr = antiSamy.scan(value, policy);
// 安全的HTML输出
// return cr.getCleanHTML();
// String str = StringEscapeUtils.escapeHtml4(cr.getCleanHTML());
// str.replaceAll((antiSamy.scan(" ", policy)).getCleanHTML(), "");
String str = cr.getCleanHTML();
return str;
} catch (ScanException e) {
e.printStackTrace();
} catch (PolicyException e) {
e.printStackTrace();
}
return value;
}
}
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter {
@SuppressWarnings("unused")
private FilterConfig filterConfig;
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new XssRequestWrapper((HttpServletRequest) request), response);
}
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
}