public class XssHttpServletRequestWrapper extendsHttpServletRequestWrapper
{
HttpServletRequest orgRequest= null;publicXssHttpServletRequestWrapper(HttpServletRequest request)
{super(request);
orgRequest=request;
}/*** 覆盖getParameter方法,将参数名和参数值都做xss过滤。
* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取
* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖*/@OverridepublicString getParameter(String name)
{
String value= super.getParameter(xssEncode(name));if (value != null)
{
value=xssEncode(value);
}returnvalue;
}/*** 覆盖getHeader方法,将参数名和参数值都做xss过滤。
* 如果需要获得原始的值,则通过super.getHeaders(name)来获取
getHeaderNames 也可能需要覆盖*/@OverridepublicString getHeader(String name)
{
String value= super.getHeader(xssEncode(name));if (value != null)
{
value=xssEncode(value);
}returnvalue;
}/*** 将容易引起xss漏洞的半角字符直接替换成全角字符
*
*@params
*@return
*/
private staticString xssEncode(String s)
{if (s == null ||s.isEmpty())
{returns;
}
StringReader reader= newStringReader( s );
StringWriter writer= newStringWriter();try{
HTMLParser.process( reader, writer,new XSSFilter(), true);returnwriter.toString();
}catch(NullPointerException e) {returns;
}catch(Exception ex)
{
ex.printStackTrace();
}return null;
}/*** 获取最原始的request
*
*@return
*/
publicHttpServletRequest getOrgRequest()
{returnorgRequest;
}/*** 获取最原始的request的静态方法
*
*@return
*/
public staticHttpServletRequest getOrgRequest(HttpServletRequest req)
{if (req instanceofXssHttpServletRequestWrapper)
{return((XssHttpServletRequestWrapper) req).getOrgRequest();
}returnreq;
}