随着社会的发展,企业对项目的要求越来越高,特别是和安全相关的项目,要求不能有注入,Xss等等。博主今天分享一个过滤Xss代码的过滤器。
package com.vti.filter; import java.io.IOException; import java.util.Arrays; import java.util.List; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class RequestParameterFilter implements Filter { //此处是不过滤的参数 private List<String> excludeNames; public List<String> getExcludeNames() { return excludeNames; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { request = new MyHttpServletRequestWrapper((HttpServletRequest) request); chain.doFilter(request, response); } public void init(FilterConfig config) throws ServletException { String exclude = config.getInitParameter("exclude"); if (exclude != null && exclude.length() > 0) { excludeNames = Arrays.asList(exclude.split(",")); } } public void destroy() {}; private class MyHttpServletRequestWrapper extends HttpServletRequestWrapper { public MyHttpServletRequestWrapper(HttpServletRequest request) { super(request); } public String getParameter(String name) { if (excludeNames != null && excludeNames.contains(name)) { return super.getParameter(name); } return replaceXss(super.getParameter(name)); } public String[] getParameterValues(String name) { if (excludeNames != null && excludeNames.contains(name)) { return super.getParameterValues(name); } String [] params=super.getParameterValues(name); for (int i = 0; i < params.length; i++) { params[i]=replaceXss(params[i]); } return params; } } protected String replaceXss(String value) { if (value != null && value.length() > 0) { //此处还能加更多的过滤规则 value=value.replace("<","<"); value=value.replace(">",">"); return value; } return value; } }
看到这,想必大家都懂了。最后演示下怎么使用:
<filter> <filter-name>Xss Filter</filter-name> <filter-class>com.vti.filter.RequestParameterFilter</filter-class> <init-param> <param-name>exclude</param-name> <param-value>option</param-value> </init-param> </filter> <filter-mapping> <filter-name>Xss Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>