packagecom.isoftstone.ifa.web.base.filter;importjava.util.regex.Pattern;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletRequestWrapper;importorg.apache.commons.lang.StringUtils;importorg.slf4j.Logger;importorg.slf4j.LoggerFactory;public class XssHttpServletRequestWrapper extendsHttpServletRequestWrapper {private static final Logger logger =LoggerFactory
.getLogger(XssHttpServletRequestWrapper.class);publicXssHttpServletRequestWrapper(HttpServletRequest request) {super(request);
}/*** 对数组参数进行特殊字符过滤*/@OverridepublicString[] getParameterValues(String name) {
String[] values= super.getParameterValues(name);if (values != null) {int length =values.length;
String[] escapseValues= newString[length];for (int i = 0; i < length; i++) {
escapseValues[i]=escapeHtml4(values[i]);
}returnescapseValues;
}return super.getParameterValues(name);
}
@OverridepublicString getQueryString() {return escapeHtml4(super.getQueryString());
}/*** 对参数中特殊字符进行过滤*/@OverridepublicString getParameter(String name) {return escapeHtml4(super.getParameter(name));
}/*** 对请求头部进行特殊字符过滤*/@OverridepublicString getHeader(String name) {return escapeHtml4(super.getHeader(name));
}public staticString escapeHtml4(String value) {if(StringUtils.isNotBlank(value)) {//避免script 标签
Pattern scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
value= scriptPattern.matcher(value).replaceAll("");//避免src形式的表达式
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");
scriptPattern= Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//删除单个的 标签
scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
value= scriptPattern.matcher(value).replaceAll("");//删除单个的
scriptPattern = Pattern.compile("
value= scriptPattern.matcher(value).replaceAll("");//避免 eval(...) 形式表达式
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//避免 expression(...) 表达式
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//避免 javascript: 表达式
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value= scriptPattern.matcher(value).replaceAll("");//避免 vbscript:表达式
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value= scriptPattern.matcher(value).replaceAll("");//避免 οnlοad= 表达式
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//避免 οnmοuseοver= 表达式
scriptPattern = Pattern.compile("onmouseover(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//避免 οnfοcus= 表达式
scriptPattern = Pattern.compile("onfocus(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//避免 οnerrοr= 表达式
scriptPattern = Pattern.compile("onerror(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE |Pattern.DOTALL);
value= scriptPattern.matcher(value).replaceAll("");//移除特殊标签
value = value.replaceAll("<", "<").replaceAll(">", ">");
}returnvalue;
}public static voidmain(String[] args) {
String value= "&receiveCellphone=13888888888&receiveEmail=ssssss%40qq.com\"/>&";
System.out.println("===:"+escapeHtml4(value));
}
}