为什么说别人的都是有问题的呢,看起来没问题,实际上request获取的getParameterMap拿到的Map是锁定的,不能修改,
如何修改拿到的Map呢,需要引入tomcat里的catalina.jar
参考https://blog.csdn.net/darkness_j/article/details/6325245
如下:亲测可用
最后value = HtmlUtils.htmlEscape(value); 这个方法要慎用,如果页面传json数据到后台,会把符号都转码,导致后台解析json报错,可以去掉这个
<filter>
<filter-name>pramsFilter</filter-name>
<filter-class>com.str.util.filter.PramsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>pramsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
过滤器:
package com.str.util.filter;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.filter.OncePerRequestFilter;
public class PramsFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
chain.doFilter(new ParameterRequestWrapper((HttpServletRequest)request), response);
}
}
ParameterRequestWrapper类
package com.str.util.filter;
import java.lang.reflect.Method;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.catalina.util.ParameterMap;
import com.five.util.CommUtil;
/**
* 重写 HttpServletRequestWrapper 处理json报文请求
*
* @author zhaoheng
*
*/
public class ParameterRequestWrapper extends HttpServletRequestWrapper {
public ParameterRequestWrapper(HttpServletRequest request) {
super(request);
// TODO Auto-generated constructor stub
}
@Override
public String getParameter(String name) {
// 返回值之前 先进行过滤
return CommUtil.cleanPram(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
// 返回值之前 先进行过滤
String[] values = super.getParameterValues(name);
if (values == null) {
return null;
}
for (int i = 0; i < values.length; i++) {
values[i] = CommUtil.cleanPram(values[i]);
}
return values;
}
@SuppressWarnings({ "unchecked", "rawtypes" })
@Override
public Map getParameterMap() {
ParameterMap keys=(ParameterMap)super.getParameterMap();
Method method;
try {
method = keys.getClass().getMethod( "setLocked" , new Class[]{ boolean . class });
method.invoke(keys,new Object[]{ new Boolean( false )});
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
Set set = keys.entrySet();
Iterator iters = set.iterator();
while (iters.hasNext()) {
Object key =iters.next();
Map.Entry<Object, Object> sEntry=(Map.Entry<Object, Object>)key;
String[] value = (String[])sEntry.getValue();
if(null!=value) {
for (int i = 0; i < value.length; i++) {
value[i]=CommUtil.cleanPram(value[i]);
}
sEntry.setValue(value);
}
}
return keys;
}
}
CommUtil类主要方法:
import org.apache.commons.lang.StringUtils;
import org.springframework.web.util.HtmlUtils;
public static String cleanPram(String pram ) {
if (null!=pram) {
pram=xssClean_4(pram);
pram=xssClean(pram);
pram=xssClean_error(pram);
}
return pram;
}
private static String xssClean_4(String value) {//界面会报错
value = HtmlUtils.htmlEscape(value);
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
/**
* 将容易引起xss漏洞的半角字符直接替换成全角字符
* 清除恶意的XSS脚本
* @param s
* @return
*/
private static String xssClean(String value) {
if (value == null || value.isEmpty()) {
return value;
}
value = HtmlUtils.htmlEscape(value);
//对%28 %29 %22转码
value =value.replaceAll("%(?![0-9a-fA-F]{2})", "%25");
try {
value= URLDecoder.decode(value,"UTF-8");
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
StringBuilder sb = new StringBuilder(value.length() + 16);
for (int i = 0; i < value.length(); i++) {
char c = value.charAt(i);
switch (c) {
case '>':
sb.append(">");// 转义大于号
break;
case '<':
sb.append("<");// 转义小于号
break;
case '\'':
sb.append("'");// 转义单引号
break;
case '\"':
sb.append(""");// 转义双引号
break;
case '&':
sb.append("&");// 转义&
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
private static String xssClean_error(String value) {
if (value != null) {
value = value.replaceAll("", "");
// Avoid anything between script tags
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid anything in a src="http://www.yihaomen.com/article/java/..." type of expression
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome </script> tag
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Remove any lonesome <script ...> tag
scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid eval(...) expressions
scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("alert *\\(((?!([alert\\(|\\)])).)*\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");//去除alert()
value = HtmlUtils.htmlEscape(value);
}
return value;
}