防止xxs攻击过滤,代码清单如下
package com.security;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* @title 请去数据防止XSS过滤
* @Description:
* @author Frank E-mail: frank@lan360.com
* @date 2017年8月22日
*/
public class RequestParameterXSSFilter implements Filter{
//此处是不过滤的参数
private List<String> excludeNames;
public List<String> getExcludeNames() {
return excludeNames;
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
//不过滤属性
String exclude = filterConfig.getInitParameter("exclude");
if (exclude != null && exclude.length() > 0) {
excludeNames = Arrays.asList(exclude.split(","));
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
request = new XSSHttpServletRequestWrapper((HttpServletRequest) request);
chain.doFilter(request, response);
}
private class XSSHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XSSHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public Map getParameterMap() {
Map paramsMap=super.getParameterMap();
if (paramsMap!=null && !paramsMap.isEmpty()) {
for (Object name : paramsMap.keySet()) {
//以下划线开头的数据不过滤
if (name.toString().indexOf("_")>-1) {
break;
}
String[] value =(String[]) paramsMap.get(name);
if (value!=null && value.length>0) {
value[0]=replaceXss(value[0]);
}
}
}
return paramsMap;
}
}
/**
* @title 过滤数据规则
* @Description:
* @param @param value
* @param @return
* @return
* @author Frank E-mail: frank@lan360.com
* @date 2017年8月23日
*/
protected String replaceXss(String value) {
if (value != null && value.length() > 0) {
//此处还能加更多的过滤规则
value = value.replaceAll("#","").replaceAll("&", "");
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replaceAll("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
}
return value;
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}