XssFilter 创建与配置
增加XssFilter过滤器
创建XssFilter
package com.dongao.filter;
import com.alibaba.druid.util.DruidWebUtils;
import com.alibaba.druid.util.PatternMatcher;
import com.alibaba.druid.util.ServletPathMatcher;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
public class XssFilter implements Filter {
private String initParameter;
private Set<String> initParameters;
protected PatternMatcher pathMatcher = new ServletPathMatcher();
private String contextPath;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
//初始化加载需要排除,无需过滤的后缀
initParameter = filterConfig.getInitParameter("exclude");
if (initParameter != null && initParameter.trim().length() != 0) {
initParameters = new HashSet<String>(Arrays.asList(initParameter.split("\\s*,\\s*")));
}
contextPath = DruidWebUtils.getContextPath(context);
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String requestURI = httpRequest.getRequestURI();
if (isExclusion(requestURI)) { // 无需过滤
chain.doFilter(request, response);
return;
}else { // 需过滤
chain.doFilter(new XssHttpServletRequestWrapper(httpRequest), response);
}
}
@Override
public void destroy() {
}
public boolean isExclusion(String requestURI) {
if (initParameters == null) {
return false;
}
if (contextPath != null && requestURI.startsWith(contextPath)) {
requestURI = requestURI.substring(contextPath.length());
if (!requestURI.startsWith("/")) {
requestURI = "/" + requestURI;
}
}
for (String pattern : initParameters) {
if (pathMatcher.matches(pattern, requestURI)) {
return true;
}
}
return false;
}
}创建XssHttpServletRequestWrapper
package com.dongao.filter;
import org.apache.commons.lang3.StringEscapeUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.regex.Pattern;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* Xss请求适配器
* @param request
*/
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
*对请求头部过滤
* @param name
* @return
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null) {
return null;
}
return StringEscapeUtils.escapeHtml4(value);
}
/**
*对参数过滤
* @param name
* @return
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (value == null) {
return null;
}
return StringEscapeUtils.escapeHtml4(value);
}
/**
*对数组参数过滤
* @param name
* @return
*/
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if(values != null) {
int length = values.length;
String[] escapseValues = new String[length];
for(int i = 0; i < length; i++){
escapseValues[i] = StringEscapeUtils.escapeHtml4(values[i]);
}
return escapseValues;
}
return super.getParameterValues(name);
}
}在web.xml增加过滤器
<filter>
<filter-name>XssEscape</filter-name>
<filter-class>com.dongao.filter.XssFilter</filter-class>
<!--无需过滤的后缀-->
<init-param>
<param-name>exclude</param-name>
<param-value>*.js,*.gif,*.jpg,*.png,*.css,*.ico</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>XssEscape</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2024-03-28,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录