XSS漏洞解决方案之一：过滤器(转载)

一：web.xml文件

 

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

<!-- 解决xss漏洞 -->     < filter >       < filter-name >xssFilter</ filter-name >        < filter-class >com.baidu.rigel.sandbox.core.filter.XSSFilter</ filter-class >     </ filter >         <!-- 解决xss漏洞 -->     < filter-mapping >       < filter-name >xssFilter</ filter-name >       < url-pattern >/*</ url-pattern >     </ filter-mapping >       <!-- 解决xss漏洞 -->    < filter >      < filter-name >xssFilter</ filter-name >       < filter-class >com.baidu.rigel.sandbox.core.filter.XSSFilter</ filter-class >    </ filter >      <!-- 解决xss漏洞 -->    < filter-mapping >      < filter-name >xssFilter</ filter-name >      < url-pattern >/*</ url-pattern >    </ filter-mapping >

 

 

 

 

 

二：过滤器:XSSFilter.java

 

 

 

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

package com.rigel.sandbox.core.filter;      import java.io.IOException;      import javax.servlet.Filter;  import javax.servlet.FilterChain;  import javax.servlet.FilterConfig;  import javax.servlet.ServletException;  import javax.servlet.ServletRequest;  import javax.servlet.ServletResponse;  import javax.servlet.http.HttpServletRequest;      import com.rigel.sandbox.core.util.XssHttpServletRequestWrapper;      public class XSSFilter implements Filter {           @Override       public void init(FilterConfig filterConfig) throws ServletException {       }           @Override       public void doFilter(ServletRequest request, ServletResponse response,               FilterChain chain) throws IOException, ServletException {               XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(                   (HttpServletRequest) request);           chain.doFilter(xssRequest, response);       }           @Override       public void destroy() {       }      }    package com.rigel.sandbox.core.filter;   import java.io.IOException;   import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest;   import com.rigel.sandbox.core.util.XssHttpServletRequestWrapper;   public class XSSFilter implements Filter {   @Override public void init(FilterConfig filterConfig) throws ServletException { }   @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {   XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( (HttpServletRequest) request); chain.doFilter(xssRequest, response); }   @Override public void destroy() { }   }

 

 

 

 

 

 

 

 

三：包装器：XssHttpServletRequestWrapper.java

 

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101

package com.rigel.sandbox.core.util;      import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletRequestWrapper;      public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {       HttpServletRequest orgRequest = null ;           public XssHttpServletRequestWrapper(HttpServletRequest request) {           super (request);           orgRequest = request;       }           /**       * 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/>       * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>       * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖       */       @Override       public String getParameter(String name) {           String value = super .getParameter(xssEncode(name));           if (value != null ) {               value = xssEncode(value);           }           return value;       }           /**       * 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>       * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/>       * getHeaderNames 也可能需要覆盖       */       @Override       public String getHeader(String name) {               String value = super .getHeader(xssEncode(name));           if (value != null ) {               value = xssEncode(value);           }           return value;       }           /**       * 将容易引起xss漏洞的半角字符直接替换成全角字符       *        * @param s       * @return       */       private static String xssEncode(String s) {           if (s == null || s.isEmpty()) {               return s;           }           StringBuilder sb = new StringBuilder(s.length() + 16 );           for ( int i = 0 ; i < s.length(); i++) {               char c = s.charAt(i);               switch (c) {               case '>' :                   sb.append( ">" ); // 转义大于号                    break ;               case '<' :                   sb.append( "<" ); // 转义小于号                    break ;               case '\'' :                   sb.append( "'" ); // 转义单引号                    break ;               case '\"' :                   sb.append( "" "); // 转义双引号                    break ;               case '&' :                   sb.append( "&" ); // 转义&                    break ;               default :                   sb.append(c);                   break ;               }           }           return sb.toString();       }           /**       * 获取最原始的request       *        * @return       */       public HttpServletRequest getOrgRequest() {           return orgRequest;       }           /**       * 获取最原始的request的静态方法       *        * @return       */       public static HttpServletRequest getOrgRequest(HttpServletRequest req) {           if (req instanceof XssHttpServletRequestWrapper) {               return ((XssHttpServletRequestWrapper) req).getOrgRequest();           }               return req;       }  }

 原文地址：http://www.2cto.com/Article/201309/247100.html