public void doFilter(ServletRequest servletrequest,
ServletResponse servletresponse, FilterChain filterchain)
throws IOException, ServletException {
//flag = true 只做URL验证; flag = false 做所有字段的验证;
boolean flag = true;
if(flag){
//只对URL做xss校验
HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;
String requesturi = ().toString();
requesturi = (requesturi, "UTF-8");
if(requesturi!=null&&("alipay_hotel_book_return.html")!=-1){
(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&("account_bank_return.html")!=-1){
(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&("/alipay/")!=-1){
(servletrequest, servletresponse);
return ;
}
if(requesturi!=null&&("/")!=-1){
(servletrequest, servletresponse);
return ;
}
RequestWrapper rw = new RequestWrapper(httpServletRequest);
String param = ();
if(!"".equals(param) && param != null) {
param = (param, "UTF-8");
String originalurl = requesturi + param;
String sqlParam = param;
//添加sql注入的判断
if(("/") || ("/member/")){
sqlParam = (param);
}
String xssParam = (sqlParam);
requesturi += "?"+xssParam;
if(!(param)){
("requesturi::::::"+requesturi);
(requesturi);
("no entered.");
// (new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
return ;
}
}
(servletrequest, servletresponse);
}else{
//对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。
(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
}
}
requestMapping:
public RequestWrapper(){
super(null);
}
public RequestWrapper(HttpServletRequest httpservletrequest) {
super(httpservletrequest);
}
public String[] getParameterValues(String s) {
String str[] = (s);
if (str == null) {
return null;
}
int i = ;
String as1[] = new String[i];
for (int j = 0; j < i; j++) {
as1[j] = cleanXSS(cleanSQLInject(str[j]));
}
return as1;
}
public String getParameter(String s) {
String s1 = (s);
if (s1 == null) {
return null;
} else {
return cleanXSS(cleanSQLInject(s1));
}
}
public String getHeader(String s) {
String s1 = (s);
if (s1 == null) {
return null;
} else {
return cleanXSS(cleanSQLInject(s1));
}
}
public String cleanXSS(String src) {
String temp =src;
("xss---temp-->"+src);
src = ("<", "<").replaceAll(">", ">");
// if (("address")==-1)
// {
src = ("\\(", "(").replaceAll("\\)", ")");
//}
src = ("'", "'");
Pattern pattern=("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE);
Matcher matcher=(src);
src = ("");
pattern=("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE);
matcher=(src);
src = ("\"\"");
//增加脚本
src = ("script", "").replaceAll(";", "")
.replaceAll("\"", "").replaceAll("@", "")
.replaceAll("0x0d", "")
.replaceAll("0x0a", "").replaceAll(",", "");
if(!(src)){
("输入信息存在xss攻击!");
("原始输入信息-->"+temp);
("处理后信息-->"+src);
}
return src;
}
//需要增加通配,过滤大小写组合
public String cleanSQLInject(String src) {
String temp =src;
src = ("insert", "forbidI")
.replaceAll("select", "forbidS")
.replaceAll("update", "forbidU")
.replaceAll("delete", "forbidD")
.replaceAll("and", "forbidA")
.replaceAll("or", "forbidO");
if(!(src)){
("输入信息存在SQL攻击!");
("原始输入信息-->"+temp);
("处理后信息-->"+src);
}
return src;
}
xml配置:
<filter>
<filter-name>XssFilter</filter-name>
<filter-class></filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!
源码下载地址:/detail/xb12369/7145235
-------------------------------------------------2018年7月10日 16:30:42 补充-------------------------------------------------
/**
* 处理字符转义
* @param value
* @return
*/
private String processXss(String value){
if((value)){
return value;
}
value = ("<", "<").replaceAll(">", ">");
value = ("\\(", "(").replace("\\)", ")");
value = ("'", "'");
value = ("eval\\((.*)\\)", "");
value = ("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = ("script", "");
value = ("&", "&");
return value;
}
@Override
public String getParameter(String parameter) {
String value = (parameter);
return processXss(value);
}
@Override
public String getHeader(String name) {
String value = (name);
return processXss(value);
}