防止xss攻击拦截器

web.xml
<filter>
   <filter-name>XssSqlFilter</filter-name>
   <filter-class>com.cloudjet.izhuan.mobile.webapp.xss.XssFilter</filter-class>
</filter>
<filter-mapping>
   <filter-name>XssSqlFilter</filter-name>
   <url-pattern>/*</url-pattern>
   <dispatcher>REQUEST</dispatcher>
</filter-mapping>

XssFilter

package com.cloudjet.izhuan.mobile.webapp.xss;

import java.io.IOException;
  
import javax.servlet.Filter;    
import javax.servlet.FilterChain;    
import javax.servlet.FilterConfig;    
import javax.servlet.ServletException;    
import javax.servlet.ServletRequest;    
import javax.servlet.ServletResponse;    
import javax.servlet.http.HttpServletRequest;


/**
 * XSS过滤器
 * 
 * @Author lijun
 */
public class XssFilter implements Filter {  
    FilterConfig filterConfig = null;  

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {  
        this.filterConfig = filterConfig;  
    }  

    @Override
    public void destroy() {  
        this.filterConfig = null;  
    }  

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,  
            FilterChain chain) throws IOException, ServletException {  
        chain.doFilter(new XssHttpServletRequestWrapper(  
                (HttpServletRequest) request), response);  
    }  

}

XssHttpServletRequestWrapper

package com.cloudjet.izhuan.mobile.webapp.xss;


import javax.servlet.http.HttpServletRequest;  
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * 过滤 xss
 * @Author lijun
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {    
    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {  
        super(servletRequest);  
    }
    @Override
    public String[] getParameterValues(String parameter) {  
      String[] values = super.getParameterValues(parameter);  
      if (values==null)  {  
                  return null;  
          }  
      int count = values.length;  
      String[] encodedValues = new String[count];  
      for (int i = 0; i < count; i++) {  
                 encodedValues[i] = cleanXSS(values[i]);  
       }  
      return encodedValues;  
    }
    @Override
    public String getParameter(String parameter) {  
          String value = super.getParameter(parameter);  
          if (value == null) {  
                 return null;  
                  }  
          return cleanXSS(value);  
    }
    @Override
    public String getHeader(String name) {  
        String value = super.getHeader(name);  
        if (value == null)  
            return null;  
        return cleanXSS(value);  
    }

    private String cleanXSS(String value) {
        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");  
        value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");  
        value = value.replaceAll("'", "& #39;");  
        value = value.replaceAll("eval\\((.*)\\)", "");  
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");  
        value = value.replaceAll("script", "");  
        return value;  
    }  
  
}