过滤特殊字符的过滤器
struts2会在web.xml中配置如下的过滤器:
<filter> <filter-name>struts</filter-name> <filter-class> org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter </filter-class> </filter> <filter-mapping> <filter-name>struts</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
当自己需要再建一个过滤特殊字符的过滤器时,需要将自己的过滤器放在struts2的过滤器前边才会过滤掉使用struts2框架的路径,在web.xml中的整体配置:
<!-- 过滤特殊字符 --> <filter> <filter-name>FilterSpecial</filter-name> <filter-class>com.piccsoft.project.security.auth.FilterSpecial</filter-class> </filter> <filter-mapping> <filter-name>FilterSpecial</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- 过滤特殊字符 --> <filter> <filter-name>struts</filter-name> <filter-class> org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter </filter-class> </filter> <filter-mapping> <filter-name>struts</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
具体的过滤器的写法如下:
1 package com.project.security.auth; 2 3 import java.io.IOException; 4 import java.util.Iterator; 5 import java.util.Map; 6 import java.util.Set; 7 import java.util.regex.Matcher; 8 import java.util.regex.Pattern; 9 import java.util.regex.PatternSyntaxException; 10 11 import javax.servlet.Filter; 12 import javax.servlet.FilterChain; 13 import javax.servlet.FilterConfig; 14 import javax.servlet.ServletException; 15 import javax.servlet.ServletRequest; 16 import javax.servlet.ServletResponse; 17 import javax.servlet.http.HttpServletRequest; 18 import javax.servlet.http.HttpServletResponse; 19 20 import org.apache.commons.lang3.StringUtils; 21 22 import com.core.util.excel.other.StringUtilTools; 23 24 25 public class FilterSpecial implements Filter { 26 27 public void destroy() { 28 29 } 30 31 public void doFilter(ServletRequest request, ServletResponse response, 32 FilterChain chain) throws IOException, ServletException { 33 34 Map map=request.getParameterMap(); 35 Set keSet=map.entrySet(); 36 boolean bExist = false; 37 String result=""; 38 39 for(Iterator itr=keSet.iterator();itr.hasNext();){ 40 Map.Entry me=(Map.Entry)itr.next(); 41 Object ok=me.getKey(); 42 if (StringFilter(ok.toString())){ 43 bExist = true; 44 result=ok.toString(); 45 break; 46 } 47 Object ov=me.getValue(); 48 49 String[] value=new String[1]; 50 if(ov instanceof String[]){ 51 value=(String[])ov; 52 }else{ 53 value[0]=ov.toString(); 54 } 55 56 for(int k=0;k<value.length;k++){ 57 if (StringFilter(value[k])){ 58 bExist = true; 59 result=value[k]; 60 break; 61 } 62 } 63 } 64 if(bExist){ 65 HttpServletRequest req = (HttpServletRequest) request; 66 HttpServletResponse res = (HttpServletResponse) response; 67 String [] tmp={"..","WEB-INF","\t","alert(","<",">","confirm("}; 68 String temp=""; 69 for(int i=0;i<tmp.length;i++){ 70 temp=tmp[i]; 71 int index=result.indexOf(temp); 72 if(index!=-1){ 73 break; 74 } 75 } 76 req.setAttribute("result", temp); 77 req.getRequestDispatcher("/error.jsp").forward(req,res); 78 }else{ 79 chain.doFilter(request, response); 80 } 81 } 82 83 public void init(FilterConfig arg0) throws ServletException { 84 // TODO Auto-generated method stub 85 } 86 87 public static boolean StringFilter(String str) throws PatternSyntaxException { 88 if(!StringUtils.isNotEmpty(str)) return false; 89 90 str = str.replace("<br>", "").replace("<Br>", "").replace("<BR>", ""); 91 92 // 清除掉所有特殊字符 93 String regEx="\\.\\.|WEB-INF|<|>|\t|alert\\(|confirm\\("; 94 95 Pattern p = Pattern.compile(regEx); 96 Matcher m = p.matcher(str); 97 98 return m.find(); 99 100 } 101 }