XSS跨站脚本过滤器

1.在web.xml中配置过滤器:拦截所有的请求--项目中使用通过安全扫描

<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.sunrise.grid.utils.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


2、过滤器具体的实现代码如下(实现类):-------------------

package com.sunrise.grid.utils;


import java.io.IOException;


import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;


//全局XSS过滤器
public class XssFilter extends OncePerRequestFilter {


private CommonsMultipartResolver multipartResolver = new CommonsMultipartResolver();


@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
String contentType = request.getContentType();//获取请求的content-type
if (contentType != null && contentType.startsWith("multipart/")) {//文件上传请求 *特殊请求
request = multipartResolver.resolveMultipart(request);
}
filterChain.doFilter(new XssRequestWrapper(request), response);
}


}



3、拦截器的具体处理代码方式(拦截器处理类):--------------------------------------------------

package com.sunrise.grid.utils;


import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;


import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;


import org.springframework.web.util.HtmlUtils;


//全局XSS过滤器
public class XssRequestWrapper extends HttpServletRequestWrapper {



public XssRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}


@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]);
}
return encodedValues;
}


@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return stripXSS(value);
}


@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value);
}


@Override
@SuppressWarnings("unchecked")
public Map<String, String[]> getParameterMap() {
HashMap<String, String[]> paramMap = (HashMap<String, String[]>) super.getParameterMap();
paramMap = (HashMap<String, String[]>) paramMap.clone();
for (Iterator iterator = paramMap.entrySet().iterator(); iterator.hasNext();) {
Map.Entry<String, String[]> entry = (Map.Entry<String, String[]>) iterator.next();
String[] values = entry.getValue();
for (int i = 0; i < values.length; i++) {
if (values[i] instanceof String) {
values[i] = stripXSS(values[i]);
}
}
entry.setValue(values);
}
return paramMap;
}


private String stripXSS(String value) {
if (value != null) {
//value = StringEscapeUtils.escapeHtml(value); 
//value = StringEscapeUtils.escapeJavaScript(value); 
//value = StringEscapeUtils.escapeSql(value); 
value = HtmlUtils.htmlEscape(value);
//value = JavaScriptUtils.javaScriptEscape(value);//这个会把http地址处理掉,暂时不加。如果要加这个需要在com.dzqd.jaf.jdbc.utils.BeanProcessor.parseObject的208行处加unjavaScriptEscape
}
return value;
}


}


阅读更多
上一篇文件上传拦截器
下一篇SQL注入过滤器
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

关闭
关闭