packagecom.ulic.ulcif.requestwrapper;importjava.util.Enumeration;importjava.util.Map;importjavax.servlet.http.HttpServletRequest;importorg.apache.struts2.dispatcher.StrutsRequestWrapper;importorg.springframework.util.CollectionUtils;/*** 写一个 Filter,使用 Filter 来过滤浏览器发出的请求。对每个 post 请求的参数过滤一些关键字,替换成安全的,例如:< > ' " \ / # & 。
*
* 方法:实现一个自定义的 HttpServletRequestWrapper,然后在 Filter 里面调用它,替换掉 getParameter 函数即可*/
public class XssHttpServletRequestWrapper extendsStrutsRequestWrapper {
HttpServletRequest orgRequest= null;publicXssHttpServletRequestWrapper(HttpServletRequest servletRequest) {super(servletRequest);
orgRequest=servletRequest;
}/*** 重写getParameterValues方法
* 通过循环取出每一个请求结果
* 再对请求结果进行过滤
**/
publicString[] getParameterValues(String parameter) {
String[] values= super.getParameterValues(parameter);if (values == null) {return null;
}int count =values.length;
String[] encodedValues= newString[count];for (int i = 0; i < count; i++) {
encodedValues[i]=cleanXSS(values[i]);
}returnencodedValues;
}/*** 重写getParameter方法
* 对请求结果进行过滤
**/
publicString getParameter(String parameter) {
String value= super.getParameter(parameter);if (value == null) {return null;
}returncleanXSS(value);
}publicString getHeader(String name) {
String value= super.getHeader(name);if (value == null)return null;returncleanXSS(value);
}/*** 获取最原始的request
*
*@return
*/
publicHttpServletRequest getOrgRequest() {returnorgRequest;
}/*** 获取最原始的request的静态方法
*
*@return
*/
public staticHttpServletRequest getOrgRequest(HttpServletRequest req) {if (req instanceofXssHttpServletRequestWrapper) {return((XssHttpServletRequestWrapper) req).getOrgRequest();
}returnreq;
}
@Overridepublic EnumerationgetParameterNames() {
Enumeration names = super.getParameterNames();while(names.hasMoreElements()){
String name=names.nextElement();
name=cleanXSS(name);
}returnnames;
}
@OverridepublicMap getParameterMap() {
Map paramMap= super.getParameterMap();if(CollectionUtils.isEmpty(paramMap)) {returnparamMap;
}for(Object value : paramMap.values()) {
String[] str=(String[])value;if (str != null) {for (int i = 0; i < str.length; i++) {
str[i]=cleanXSS(str[i]);
}
}
}returnparamMap;
}privateString cleanXSS(String value) {
value= value.replaceAll("", "& gt;");//先暂时去除 英文括号的拦截//value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value= value.replaceAll("eval\\((.*)\\)", "");
value= value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']","\"\"");
value= value.replaceAll("script", "");
value= value.replaceAll("alert", "");returnvalue;
}
}