package com.my.filter;
import com.my.bean.XssRequest;
import org.springframework.context.annotation.Configuration;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
* 过滤器
*/
@WebFilter(filterName = "xssFilter",urlPatterns = "/*")
@Configuration
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("xssFilter is init........................");
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
XssRequest xssRequest = new XssRequest((HttpServletRequest) servletRequest);
filterChain.doFilter(xssRequest,servletResponse);
}
@Override
public void destroy() {
}
}
请求对象封装类
package com.my.bean;
import com.alibaba.fastjson.JSON;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
/**
* Request对象封装类
*/
public class XssRequest extends HttpServletRequestWrapper {
public XssRequest(HttpServletRequest request) {
super(request);
}
@Override
public String getHeader(String name) {
return super.getHeader(name);
}
@Override
public String getQueryString() {
return super.getQueryString();
}
@Override
public ServletInputStream getInputStream() throws IOException {
String body = getRequestBody(super.getInputStream());
Map<String,Object> map = JSON.parseObject(body, Map.class);
HashMap<String, Object> resultMap = new HashMap<>();
Set<String> keySet = map.keySet();
for (String s : keySet) {
if (map.get(s) instanceof String) {
if (map.get(s).toString().indexOf("script") != -1) {
System.out.println("getInputStream******************* "+map.get(s).toString());
}
resultMap.put(s, cleanXss(map.get(s).toString()));
} else {
resultMap.put(s, map.get(s));
}
}
String s = JSON.toJSONString(resultMap);
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(s.getBytes());
ServletInputStream servletInputStream = new ServletInputStream() {
@Override
public int read() throws IOException {
return byteArrayInputStream.read();
}
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
};
return servletInputStream;
}
@Override
public String getParameter(String name) {
return super.getParameter(name);
}
@Override
public String[] getParameterValues(String name) {
String[] parameterValues = super.getParameterValues(name);
if (parameterValues != null && parameterValues.length > 0) {
for (int i = 0; i < parameterValues.length; i++) {
if (parameterValues[i].indexOf("script") != -1) {
System.out.println("getParameterValues ****************** " + parameterValues[i].toString());
}
parameterValues[i] = cleanXss(parameterValues[i]);
}
}
return parameterValues;
}
/**
* 通过流获取内容 主要针对POST 提交
* @param stream
* @return
*/
private String getRequestBody(InputStream stream) {
String line = "";
StringBuilder body = new StringBuilder();
int counter = 0;
// 读取POST提交的数据内容
BufferedReader reader = new BufferedReader(new InputStreamReader(stream, Charset.forName("UTF-8")));
try {
while ((line = reader.readLine()) != null) {
body.append(line);
counter++;
}
} catch (IOException e) {
e.printStackTrace();
}
return body.toString();
}
/**
* 对value 进行过滤处理
* @param value
* @return
*/
private String cleanXss(String value) {
value = value.replace("script","s c r i p t");
return value;
}
}