web.xml配置文件 


   <filter> 
    <filter-name>XSSFilter</filter-name> 
    <filter-class>com.neusoft.common.filter.XSSFilter</filter-class> 
  </filter> 
  <filter-mapping> 
    <filter-name>XSSFilter</filter-name> 
    <url-pattern>/*</url-pattern> 
  </filter-mapping>


package com.neusoft.common.filter; 
 
 
import java.io.IOException; 
 
import javax.servlet.Filter; 
import javax.servlet.FilterChain; 
import javax.servlet.FilterConfig; 
import javax.servlet.ServletException; 
import javax.servlet.ServletRequest; 
import javax.servlet.ServletResponse; 
import javax.servlet.http.HttpServletRequest; 
 
public class XSSFilter implements Filter { 
 
	@Override 
	public void destroy() { 
		// TODO Auto-generated method stub 
 
	} 
 
	@Override 
	public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2) 
			throws IOException, ServletException { 
		// TODO Auto-generated method stub 
		arg2.doFilter(new XSSRequestWrapper((HttpServletRequest) arg0), arg1); 
	} 
 
	@Override 
	public void init(FilterConfig arg0) throws ServletException { 
		// TODO Auto-generated method stub 
 
	} 
 
} 



package com.neusoft.common.filter; 
 
 
import java.util.regex.Pattern; 
 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletRequestWrapper; 
 
 
public class XSSRequestWrapper extends HttpServletRequestWrapper { 
 
	public XSSRequestWrapper(HttpServletRequest request) { 
		super(request); 
	} 
 
	@Override 
	public String[] getParameterValues(String parameter) { 
		String[] values = super.getParameterValues(parameter); 
		if (values == null) { 
			return null; 
		} 
		int count = values.length; 
		String[] encodedValues = new String[count]; 
		for (int i = 0; i < count; i++) { 
			encodedValues[i] = stripXSS(values[i]); 
		} 
		return encodedValues; 
	} 
 
	@Override 
	public String getParameter(String parameter) { 
		String value = super.getParameter(parameter); 
		return stripXSS(value); 
	} 
 
	@Override 
	public String getHeader(String name) { 
		String value = super.getHeader(name); 
		//return stripXSS(value); 
		return value; 
	} 
	 
	public String getQueryString() {   
        String value = super.getQueryString();   
        if (value != null) {   
            value = stripXSS(value);   
        }   
        return value;   
    }   
 
	private String stripXSS(String value) { 
		if (value != null) { 
			// Avoid anything between script tags 
			Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			// Avoid anything in a 
			// e­xpression 
			scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", 
					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", 
					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			// Remove any lonesome </script> tag 
			scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			// Remove any lonesome <script ...> tag 
			scriptPattern = Pattern.compile("<script(.*?)>", 
					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			// Avoid eval(...) e­xpressions 
			scriptPattern = Pattern.compile("eval\\((.*?)\\)", 
					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			// Avoid e­xpression(...) e­xpressions 
			scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)", 
					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			// Avoid javascript:... e­xpressions 
			scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			// Avoid vbscript:... e­xpressions 
			scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE); 
			value = scriptPattern.matcher(value).replaceAll(""); 
			// Avoid οnlοad= e­xpressions 
			scriptPattern = Pattern.compile("onload(.*?)=", 
					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); 
			value = scriptPattern.matcher(value).replaceAll(""); 
 
		} 
		return value; 
	} 
} 



发布评论
IT序号网

微信公众号号:IT虾米 (左侧二维码扫一扫)欢迎添加!

JeeSite 简单的部署知识解答
你是第一个吃螃蟹的人
发表评论

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。