Filter代码:
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.util.StrUtil;
/**
* <p>
* 功能:通过Filter过滤器来防止跨站点脚本编制攻击
* </P>
*/
public class XSSFilter implements Filter {
private FilterConfig filterConfig = null;
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
System.out.println("==进入xss过滤器===");
String xssPatterns = filterConfig.getInitParameter("xss-patterns");
System.out.println("==xssPatterns==="+xssPatterns);
xssPatterns = StrUtil.formatNull(xssPatterns);
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
String queryString = StrUtil.formatNull(req.getQueryString());
queryString = java.net.URLDecoder.decode(queryString);
// System.out.println("检测到参数==== "+queryString);
if (xssPatterns.trim().length() > 0) {
String[] patterns = xssPatterns.split(";");
for (int i = 0; i < patterns.length; i++) {
// System.out.println("==patterns[i]==== "+patterns[i]);
Pattern p = Pattern.compile("(?i)" + patterns[i]);
Matcher m = p.matcher(queryString);
if (m.find()) {
System.out.println("检测到您发送请求中的参数中含有跨站脚本编制非法字符:" + HttpServletResponse.SC_BAD_REQUEST);
resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
}
}
System.out.println("=================");
chain.doFilter(request, response);
}
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
}
config配置
import java.util.Map;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.google.common.collect.Maps;
import com.XSSFilter;
@Configuration
public class FilterConfig {
/**
* xss过滤拦截器
*/
@Bean
public FilterRegistrationBean xssFilterRegistrationBean() {
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setFilter(new XSSFilter());
filterRegistrationBean.setOrder(1);
filterRegistrationBean.setEnabled(true);
filterRegistrationBean.addUrlPatterns("/*");
Map<String, String> initParameters = Maps.newHashMap();
/*initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");
initParameters.put("isIncludeRichText", "true");*/
filterRegistrationBean.setInitParameters(initParameters);
return filterRegistrationBean;
}
}
工具类
public class StrUtil {
/**
* 功能:格式化空字符串
*
* @param str
* @return String
*/
public static String formatNull(Object str) {
return null == str || "null".equals(str) ? "" : str.toString();
}
}