1.web.xml中配置filter
- <filter> <filter-name></filter-name> <filter-class></filter-class> </filter> <filter-mapping> <filter-name></filter-name> <url-pattern></url-pattern> </filter-mapping>
2.编写相应的filter的java类
- package import import import import import import import import publicclassimplements
- publicvoid
- publicvoid throws new
- publicvoidthrows }
- package import import /**
- *
- * @author wk
- * @date 2015-8-6
- */ publicclassextends public super
- public returnsuper
- public returnsuper
- public super ifnull returnnull new forint; i < values.length; i++) {
- return * 处理字符转义
- *
- * @param value
- * @return
- */ private ifnull.equals(value)) {
- return ">" , ).replace(, );
- , );
- , );
- ,
- );
- , );
- return }
private String cleanXSS(String value) {
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
value = value.replaceAll("script", "");
return value;
}
4.当然喽,此处多说一句,在装饰类中不仅可以拦截XSS脚本攻击,还可以将请求参数中的空格去掉,这样就不用在每一个action中都要去掉提交参数值的前后空格了,至于Injection Flows等sql注入的问题也可以一概解决了
转载:http://blog.csdn.net/woniumenga/article/details/47323829