实例如下 :
Xssfilter.java
Public void dofilter (ServLetRequest ServLetRequest, ServletResponse ServletResponse, FilterChain FilterChain) lanza ioexception, servletException {// flag = true 只做 url 验证; Flag = false 做所有字段的验证; boolean flag = true; if (flag) {// 只对 url 做 xss 校验 httpservletRequest httpServletRequest = (httpservletRequest) servletRequest; httpServletResponse httPsEntletRetResponse = (httpServletResponse); httpservletRequest.getRequestUrl (). toString (); requesti = urlDecoder.Decode (requestUri, "utf-8"); if (requesturi! = null && requesturi.indexof ("alipay_hotel_book_return.html")! =-1) {filtreChain.dofilter (servlet, (SERVETRET, servletResponse); return;} if (requestUri! = null && requesturi.indexof ("cuenta_bank_return.html")! =-1) {filterChain.dofilter (ServLetRequest,, servletResponse); return;} if (requesturi! = null && requesturi.indexof ("/alipay/activity.html")! =-1) {filterChain.dofilter (servletRequest, servletResponse); return; return ;} if (requesturi! = null && requesturi.indexof ("/alipaylogin.html")! =-1) {filterChain.dofilter (servletRequest, servletResponse); return;} requitSwrapper rw = newWrappers (httpservletRequest); string param = httpservletRequest.getQueryString (); if (! "". Equals (param) && param! = null) {param = urlDecoder.decode (param, "utf-8"); string originalUrl = requestUri + param; string sqlParam = param; // 添加 sql 注入的判断 if (requestUri.endswith ("/askquestion.html"). requestUri.endswith ("/member/respuesta.html")) {sqlparam = rw.cleansqlinject (param);} string xssparam = rw.cleanxss (sqlparam); requestUri += = “ RequestSwrapper ((httpservletRequest) ServLetRequest), servletResponse); return;}} filterChain.dofilter (servletRequest, servletResponse);} else {// 对请求中的所有东西都做校验 , 包括表单。此功能校验比较严格容易屏蔽表单正常输入 包括表单。此功能校验比较严格容易屏蔽表单正常输入 使用此功能请注意。filterChain.dofilter (nuevo requestwrapper ((httpServeServeRequest) SERVETRECES servletResponse);}} requestmapping: public requitsWrapper () {super (null);} public SoldSWrapper (httpservletRequest httpservletRequest) {super (httpservletRequest);} public [] getParametervalues (Str = Str = Str = Stry Str [] str [] str [] str [] str [] str [] str [] Str = Str == (S); {return null;} int i = str.length; String as1 [] = new String [i]; for (int j = 0; j <i; j ++) {as1 [j] = cleanxsss (limpiAsqlinject (str [j]));} return as1;} public string getParameter (String s) {string s1 = super.getparameter (s); nulo null;} else {return cleanxss (limpiSQlineject (s1));}} public string getheader (String s) {String s1 = super.getheader (s); if (s1 == null) {returns null;} = src; system.out.println ("xss --- temp->"+src); src = src.replaceAll ("<", "<"). ReplaceAll (">", ">"); // if (src.indexof ("dirección") ==-1) // {src = src.replaceall ("// (", "(") .replaceall ("//)", ")"); //} src = src.Replaceall ("" "," "); Pattern Pattern = Pattern.Compile ("(eval //((.*)///) | script)", patrón.case_insensitive); Matcher Matcher = Pattern.Matcher (SRC); src = matcher.replaceall (""); Pattern = Pattern.Compile ("[///" // '] [// s]*javascript: (.*) [/// "//']", patrón.case_insensitive); Matcher = Pattern.Matcher (SRC); src = matcher.replaceall ("/"/""); // 增加脚本 src = src.replaceAll ("script", "") .replaceAll (";", "") .replaceall ("/" "," ") .replaceall ("@"," ") .replaceall (" 0x0d "," ") .replacealler (" 0x0a ",,", ",", "") .replaceAll (",", ""); if (! temp.equals (src)) {system.out.println ("输入信息存在 xss 攻击!"); system.out.println ("原始输入信息->"+temp); system.out.println ("处理后信息->"+src);} return src;} // 需要增加通配 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合 过滤大小写组合CleanSqlinject (String src) {string temp = src; .replaceAll ("o", "forhido");XML 配置 :
<Sterry> <Sterry-name> xsssfilter </filter-name> <filter-class> cn.com.jsoft.xss.xsssfilter </filter-class> <init-param> <amamname> codificando </marc-name> <param AM-Value> UTF-8 </param-value> </init-param> </filtro> <filter-mapping> <filter-name> xssfilter </filtre-name> <url-pattern>/*</ url-Pattern> </filter-mapping>
以上代码仅仅将特殊的 sql 字符 , 特殊 script 脚本字符处理掉 , 具体的页面处理还需要后台处理!!
关于这篇 Java 过滤器 Filtro 防 SQL 注入的实现代码就是小编分享给大家的全部内容了 , 希望能给大家一个参考 也希望大家多多支持武林网。