[Technical Summary] conduct XSS filter using Filter

In general, the form data processing system needs to solve a similar XSS attacks and escape this problem, this problem is universal, it is impossible to process each submitted form data are to include duplicate handling code. Usually processed through Filter to block or Interceptor.

XSS filtering by a method described herein under Filter.

Process: Using Filter intercepts the request, the request is converted to ordinary packaging process may be too XSS custom request, and thereafter when the parameters are acquired through XSS process.

The main implementation class:

XssFilter

public class XssFilter implements Filter {

    private static final String[] EXCLUDE_URIS = new String[] {
            "/archivefiles/ajaxsimpleupload"// 上传全文
            , "/archivefiles/ajaxuploadannex"// 上传附件
            , "/importfilelist"// 导入文件
            , "/export"// 导出文件
    };

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        String reqURI = UrlUtils.getReqURI(req);

        // 默认是需要进行XSS过滤的，当请求为排除的URI时，替换为原来的request
        ServletRequest newRequest = new XsslHttpServletRequestWrapper((HttpServletRequest) request);
        for (String excludeUri : EXCLUDE_URIS) {
            if (reqURI.contains(excludeUri)) {
                newRequest = request;
                break;
            }
        }
        chain.doFilter(newRequest, response);
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}

XssHttpServletRequestWrapper

/**
 * xss 通过重写参数获取方法实现.
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

  HttpServletRequest xssRequest = null;

  public XsslHttpServletRequestWrapper(HttpServletRequest request) {
    super(request);
    xssRequest = request;
  }

  @Override
  public String getParameter(String name) {
    String value = super.getParameter(name);
    if (value != null) {
      value = xssReplace(value);
    }
    return value;
  }

  @Override
  public String[] getParameterValues(String name) {
    String[] values = super.getParameterValues(name);
    if (values != null && values.length > 0) {
      for (int i = 0; i < values.length; i++) {
        values[i] = xssReplace(values[i]);
      }
    }
    return values;
  }

  @Override
  public String getHeader(String name) {
    String value = super.getHeader(name);
    if (value != null) {
      value = xssReplace(value);
    }
    return value;
  }

  private String xssReplace(String value) {
    String reslut = "";
    if (JacksonUtils.isJsonObjectOrJsonArray(value)) {
      reslut = XssUtils.transferJson(value);
    } else {
      // 对参数值进行过滤.
      reslut = XssUtils.xssReplace(value);
    }
    return reslut;
  }
}