当表单的enctype=multipart/form-data时,一般的过滤器无法获取参数,所以
在springmvc配置文件注解适配器
把
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter
改
com.zcj.MyAnnotationMethodHandlerAdapter,
这个类是继承spring的AnnotationMethodHandlerAdapter,重写ModelAndView handle(HttpServletRequest request,HttpServletResponse response, Object handler) 方法实现过滤.
package com.zcj;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter;
public class MyAnnotationMethodHandlerAdapter extends
AnnotationMethodHandlerAdapter {
private static Map<String,String> xssMap = new LinkedHashMap<String,String>();
{
// 含有脚本: script
xssMap.put("[s|S][c|C][r|R][i|C][p|P][t|T]", "");
// 含有脚本 javascript
xssMap.put("[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']", "\"\"");
// 含有函数: eval
xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", "");
}
/**
* 清除恶意的XSS脚本
*
* @param value
* @return
*/
private String myCleanXSS(String value) {
Set<String> keySet = xssMap.keySet();
for (String key : keySet) {
String v = xssMap.get(key);
value = value.replaceAll(key, v);
}
return value;
}
private void myXss(HttpServletRequest request){
Map map = request.getParameterMap();
Set<String> keySet = map.keySet();
for(String key : keySet){
String[] values = request.getParameterValues(key);
if(values!=null&&values.length>0){
for(int i=0 ;i<values.length;i++){
if(!StringUtils.isBlank(values[i])){
values[i] = myCleanXSS(values[i]);
}
}
}
}
}
@Override
public ModelAndView handle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
if("/article/addOrUpdateArticle".equals(request.getRequestURI())){
myXss(request);
}
return super.handle(request, response, handler);
}
}