1、新建过滤器XssFilter
public class XssFilter implements Filter {
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request,request.getParameterMap()), response);
}
public void destroy() {
}
}
2、重写HttpServletRequestWrapper
将参数中有关xss攻击的非法字符全部处理掉
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private Map<String, String[]> params;
public XssHttpServletRequestWrapper(HttpServletRequest request,Map<String, String[]> newParams) {
super(request);
params=new HashMap<String, String[]>();
for(String key:newParams.keySet()){
String[] value=newParams.get(key);
int count = value.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] =cleanXss(value[i]);
}
params.put(key, encodedValues);
}
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values != null){
String value = Arrays.toString(values);
if(value.contains("%0d")||value.contains("%0a")){
return new String[]{"errorparam"};
}
int length = values.length;
String[] escapseValues = new String[length];
for (int i = 0; i < length; i++)
{
// 防xss攻击和过滤前后空格
escapseValues[i] = cleanXss(values[i]);
}
return escapseValues;
}
return null;
}
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return cleanXss(value);
}
@Override
public Map<String, String[]> getParameterMap() {
return params;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return cleanXss(value);
}
private String stripXSS(String value) {
if (value != null) {
// Avoid eval(...) expressions
Pattern scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid expression(...) expressions
scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid javascript:... expressions
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid vbscript:... expressions
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// Avoid onload= expressions
scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
private String cleanXss(String value){
if(!EmptyUtil.isEmpty(value)) {
value = stripXSS(value);
value = cleanXSS(value);
}
return value;
}
private String cleanXSS(String value) {
//You'll need to remove the spaces from the html entities below
if(!EmptyUtil.isEmpty(value)){
value = value.replaceAll("selectschool", "");
value = value.replaceAll("keyword", "");
value = value.replaceAll("startTime", "");
value = value.replaceAll("endTime", "");
value = value.replaceAll("selectschool", "");
value = value.replaceAll("keytree", "");
value = value.replaceAll("checkVal", "");
value = value.replaceAll("relateType", "");
value = value.replaceAll("classId", "");
value = value.replaceAll("<xsstag", "");
value = value.replaceAll("domxssExecutionSink", "");
value = value.replaceAll("=javascript", "");
value = value.replaceAll("script", "");
value = value.replaceAll("iframe", "");
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replaceAll("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("\"", "”");
value = value.replaceAll(";", ";");
value = value.replaceAll("&","&");
value = value.replaceAll("%26amp;","%26");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("(?i)script", "");
value = value.replaceAll("iframe", "");
value = value.replaceAll("window.open", "");
}
return value;
}
}