- 自定义XssRequestWrapper继承HttpServletRequestWrapper
package com.workflow.base.filter; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.File; import java.io.InputStream; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.HashMap; import java.util.Iterator; import java.util.Map; import java.util.regex.Matcher; import java.util.regex.Pattern; /** * XSS请求包装器 pc端 * 重写请求体,获取参数的方法,来达到过滤参数的目的 * @author wangwq */ public class XssRequestWrapper extends HttpServletRequestWrapper { private static Logger logger= LoggerFactory.getLogger(XssRequestWrapper.class); public XssRequestWrapper(HttpServletRequest request) { super(request); } /** * 重写getParameterValues方法,当获取参数时,先过滤参数 * @param name * @return java.lang.String[] * @author wangwq * @updateAuthor: wangwq * @updateDate 2020/2/19 22:11 * @date 2020/2/19 22:11 */ @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if (values == null) { return null; } int len = values.length; String[] newArray = new String[len]; for (int j = 0; j < len; j++) { //@Description 过滤请求参数 wangwq 2020/2/5 17:09 newArray[j] = xssClean(values[j]); } return newArray; } /** * 重写getParameter方法,当获取参数时,先过滤参数 * @param name 参数名 * @return java.lang.String * @author wangwq * @updateAuthor: wangwq * @updateDate 2020/2/19 22:10 * @date 2020/2/19 22:10 */ @Override public String getParameter(String name) { String value = super.getParameter(name); if (value != null) { value = xssClean(value); } return value; } /** * 重写getHeader方法,当获取参数时,先过滤参数 * @param name * @return java.lang.String * @author wangwq * @updateAuthor: wangwq * @updateDate 2020/2/19 22:12 * @date 2020/2/19 22:12 */ @Override public String getHeader(String name) { return super.getHeader(name); } /** * 重写getParameterMap方法,当获取post请求参数时,先过滤参数 * @param * @return java.util.Map * @author wangwq * @updateAuthor: wangwq * @updateDate 2020/2/19 22:13 * @date 2020/2/19 22:13 */ @Override public Map getParameterMap() { Map<String,String[]> map = new HashMap<>(); map = super.getParameterMap(); Iterator entries = map.entrySet().iterator(); Map.Entry entry; String name =""; String value=null; while (entries.hasNext()){ entry=(Map.Entry)entries.next(); name = (String) entry.getKey(); Object objvalue = entry.getValue(); //@Description 去除devtool保存用的serialize参数,过滤其他输入参数 wangwq 2020/2/19 22:08 if (!name.equalsIgnoreCase("serialize")){ if(objvalue instanceof String[]){ String[] values = (String[]) objvalue; for(int i=0;i<values.length;i++){ values[i]=xssClean(values[i]); } } } } return map; } private static final String regEx_script = "<script[^>]*?>[\\s\\S]*?<\\/script>"; // 定义script的正则表达式 private static final String regEx_style = "<style[^>]*?>[\\s\\S]*?<\\/style>"; // 定义style的正则表达式 private static final String regEx_html = "<[^>]+>"; // 定义HTML标签的正则表达式 private static final String regEx_sql="(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|" +"(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)"; /** * 过滤数据 * @param taintedHTML 要过滤的数据 * @return java.lang.String 返回过滤后的数据 * @author wangwq * @updateAuthor: wangwq * @updateDate 2020/2/5 17:06 * @date 2020/2/5 17:06 */ private String xssClean(String taintedHTML) { return delHTMLTag(taintedHTML); } /** * @param htmlStr * @return 删除Html标签 * @author LongJin */ public static String delHTMLTag(String htmlStr) { try { if (StringUtils.isNotBlank(htmlStr)){ Pattern p_script = Pattern.compile(regEx_script, Pattern.CASE_INSENSITIVE); Matcher m_script = p_script.matcher(htmlStr); htmlStr = m_script.replaceAll(""); // 过滤script标签 Pattern p_style = Pattern.compile(regEx_style, Pattern.CASE_INSENSITIVE); Matcher m_style = p_style.matcher(htmlStr); htmlStr = m_style.replaceAll(""); // 过滤style标签 Pattern p_html = Pattern.compile(regEx_html, Pattern.CASE_INSENSITIVE); Matcher m_html = p_html.matcher(htmlStr); htmlStr = m_html.replaceAll(""); // 过滤html标签 } } catch (Exception e) { logger.error("跨站脚本过滤异常! 参数 {}",htmlStr,e); } return htmlStr; // 返回文本字符串 } }
- 自定义XssFilter
package com.workflow.base.filter; import com.workflow.constant.LoginConst; import com.workflow.util.DateUtil; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.IOException; import java.util.Date; /** * XSS (Cross Site Scripting) 过滤器 * @author wangwq */ public class XssFilter implements Filter { @SuppressWarnings("unused") private FilterConfig filterConfig; @Override public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //设置js脚本更新参数 request.setAttribute("js_sysdate", DateUtil.convertDate2String(new Date(),DateUtil.YYYY_MM_DD)); HttpServletRequestWrapper requestWrapper=null; HttpServletRequest servletRequest=(HttpServletRequest) request; if (servletRequest.getContextPath().contains(LoginConst.MOBILE_CONTEXT_PATH)) { requestWrapper=new MXssRequestWrapper(servletRequest); }else{ requestWrapper=new XssRequestWrapper(servletRequest); } chain.doFilter(requestWrapper, response); } @Override public void destroy() { this.filterConfig = null; } }
- web.xml配置XssFilter
<!-- 注册XssFilter --> <filter> <filter-name>XSSFilter</filter-name > <filter-class>com.workflow.base.filter.XssFilter</filter-class > <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter>
xss跨站脚本过滤
最新推荐文章于 2024-08-03 21:02:21 发布