Configurar XssFilter
1.web.xml
<! - XssFilter 漏洞 解决 方案-> < filter > < filter-name > XssFilter </ filter-name > < filter-class > com.xxx.filter.XssFilter </ filter-class > </ filter > < filter -mapping > < filter-name > XssFilter </ filter-name > < url-pattern > / * </ url-pattern > </ filter-mapping >
2.XssFilter :
paquete com.xxx.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; la clase pública XssFilter implementa Filter { FilterConfig filterConfig = null ; @Override public void destroy () { esto .filterConfig = nulo ; } @Override public void doFilter (solicitud de ServletRequest, respuesta de ServletResponse, cadena FilterChain) arroja IOException, ServletException { chain.doFilter ( nueva XssShellInterceptor ((HttpServletRequest) request), respuesta); } @Override public void init (FilterConfig filterConfig) lanza ServletException { this .filterConfig = filterConfig ; } }
XssShellInterceptor :
paquete com.xxx.filter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssShellInterceptor extiende HttpServletRequestWrapper { public XssShellInterceptor (solicitud HttpServletRequest) { super (solicitud); } @Override public String [] getParameterValues (parámetro de cadena) { String [] valores = super .getParameterValues (parámetro); if (valores == nulo ) { retorno nulo; } int count = values.length; String [] encodedValues = new String [cuenta]; for ( int i = 0; i <count; i ++ ) { encodedValues [i] = cleanXSS (valores [i]); } return encodedValues; } @Override public String getParameter (parámetro de cadena) { valor de cadena = super .getParameter (parámetro); if (value == null ) { return null ; } devuelve cleanXSS (valor); } @Override public String getHeader (String name) { String value = super .getHeader (name); if (valor == nulo ) devuelve nulo ; devuelve cleanXSS (valor); } // 过滤 规则目前 我 只 配 了 过滤 script private String cleanXSS (valor de cadena) { value = value.replaceAll ("'", "" ) .replaceAll ( ";", "" ) .replaceAll ( "<", "" .replaceAll ( ">", "" ) .replaceAll ( "javascript", "" ) .replaceAll ( "script", "" ) .replaceAll ( "jscript", "" ) .replaceAll ( "vbscript", "" ) ; // value = value.replaceAll ("[\\\" \\\ '] [\\ s] * javascript: (. *) [\\\ "\\\']", "\" \ "") ; valor de retorno ; } }