xss漏洞,添加xssFilter后,乱码,解决方法

/*
 *
 * 更改所生成文件模板为
 * 窗口 > 首选项 > Java > 代码生成 > 代码和注释
 */
package com.bmcc.adc.filter;


import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.regex.Matcher;
import java.util.regex.Pattern;


import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;


public class XssFilter implements Filter {
private HashMap urls = new HashMap();


public void destroy() {
// TODO 自动生成方法存根
}


public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {

//设置编码格式 add by zhangna
arg0.setCharacterEncoding("GBK");   //该代码进行了编码设置,防止传输中文乱码
// TODO 自动生成方法存根
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
String requrl = request.getRequestURI();
System.err.println(requrl);
if(requrl!=null&&requrl.indexOf("add_xss_update_filter_urls")!=-1){
urls.put(request.getParameter("url"), null);
System.err.println("xss add =[["+request.getParameter("url")+"]]");
}
if(requrl!=null&&requrl.indexOf("remove_xss_update_filter_urls")!=-1){
urls.remove(request.getParameter("url"));
System.err.println("xss remove =[["+request.getParameter("url")+"]]");
}
if(requrl!=null&&requrl.indexOf("list_xss_update_filter_urls")!=-1){
for (Iterator iter = urls.keySet().iterator(); iter.hasNext();) {
String element = (String) iter.next();
System.err.println("xss item =[["+element+"]]");
}
}
if (urls.containsKey(requrl)) {
if (!canDo(request, response)) {
response.sendRedirect("/index/");
return;
}
System.err.println("passed");
}
arg2.doFilter(arg0, arg1);
}


public void init(FilterConfig arg0) throws ServletException {
// TODO 自动生成方法存根
Enumeration configs = arg0.getInitParameterNames();
while (configs.hasMoreElements()) {
String element = (String) configs.nextElement();
urls.put(arg0.getInitParameter(element), null);
}
}


private boolean canDo(HttpServletRequest req, HttpServletResponse resp) {
Enumeration params = req.getParameterNames();
if(params!=null){
while (params.hasMoreElements()) {
String element = (String) params.nextElement();
String param = req.getParameter(element);
System.err.println("xss----------paramname=["+element+"]-----paramvalue=["+param+"]");
Pattern p = Pattern.compile("SCRIPT|<SCRIPT>|</SCRIPT>|DOCUMENT|ALERT");
Matcher m = p.matcher(param.toUpperCase());
if(m.find()){
return false;
}
m = p.matcher(element.toUpperCase());
if(m.find()){
return false;
}
}
return true;
}
return true;
}

}


配置文件:

   <filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.bmcc.adc.filter.XssFilter</filter-class>
<init-param>
<param-name>url0</param-name>
<param-value>/WEB-INF/pages/pub/common/passivelogon_ec.jsp</param-value>
</init-param>
<init-param>
<param-name>url1</param-name>
<param-value>/edsmp/listAccountSvc.do</param-value>
</init-param>
<init-param>
<param-name>url2</param-name>
<param-value>/edsmp/serviceonlineNoLoginSub.do</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
           <url-pattern>*.do</url-pattern>
           <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>

没有更多推荐了,返回首页