实例如下 :
Xssfilter.java
public void dofilter (ServletRequest ServletRequest, ServletResponse ServletResponse, filterchain filterChain) melempar ioException, servletException {// flag = true 只做 url 验证; flag = false 做所有字段的验证; boolean flag = true; if (flag) {// 只对 url 做 xss 校验 httpservletRequest httpservletrequest = (httpservletRequest) servletRequest; httpservleSponse httpservletResponse = (httpservletserponse; httponsePonsePonsePonsePonsePonsePonsePonsePonsePonsePonsePonsePonsePonsePonsePonsePonsePons = httpservletrequest.getRequesturl (). tostring (); requesturi = urldecoder.decode (requesturi, "UTF-8"); if (requesturi! = null && requesturi.indexof ("alipay_hotel_book_return.html")), 1) ("alipay_hotel_book_return")! servletResponse); return;} if (requesturi! = null && requesturi.indexof ("account_bank_return.html")! =-1) {filterchain.dofilter (servletRequest, servletResponse); return;} if (requesturi! = null && requesturi.indexof ("/alipay/activity.html")! =-1) {filterchain.dofilter (servletRequest, servletResponse); return ;} if (requesturi! = null && requesturi.indexof ("/alipaylogin.html")! =-1) {filterchain.dofilter (servletRequest, servletResponse); return;} requestWrapper rw = new rontquestwrapper (httpservetReest); string; httpservletRequest.getQueryString (); if (! "". Equals (param) && param! = null) {param = urldecoder.decode (param, "utf-8"); string originalUrl = requesturi + param; string sqlparam = param; // 添加 sql 注入的判断 if (param/param; param; // 添加 注入的判断 注入的判断 if (param; requesturi.endswith ("/anggota/jawaban.html")) {sqlparam = rw.cleansqlinject (param);} string xssparam = rw.cleanxss (sqlparam); requesturi += = "?"+xssparam; if (! xssparam.equals (param)) {System.out.println ("Requesturi ::::::"+requesturi); httpservletResponse.sendredirect (requesturi); System.out.println ("no ested.");///requesturi); System.out.println ("no ested.");///requesturi; RequestWrapper ((httpservletrequest) servletRequest), servletResponse); return;}} filterchain.dofilter (servletRequest, servletResponse);} else {// 对请求中的所有东西都做校验 , 包括表单。此功能校验比较严格容易屏蔽表单正常输入 , 使用此功能请注意。filterchain.dofilter (httwrapper (httQuest.dofilter (httquest.dofilter (httquest.dofilter (httquest.dofilter (httquest.dofilter (httQuest (httQuest.dofilter (ht (httquest.dofilter (ht (htt) (htt) (htt) {对请求中的所有东西都做校验 , , , , , , {{{{{{{{{{{{{{{{{ servletResponse);}} requestMapping: public revandswrapper () {super (null);} public revandwrapper (httpservletRequest httpservletrequest) {super (httpservletRequest);} public string [] getParAmeTervalues (string s) {string == (] (string =] = non -noLAl (string. {return null;} int i = str.length; string as1 [] = string baru [i]; for (int j = 0; j <i; j ++) {as1 [j] = cleanxss (cleanSqlinject (str [j]));} return as1;} getSparameter publik (string s) {string)); null;} else {return cleanxss (cleansqlinject (s1));}} public string getHeader (string s) {string s1 = super.getHeader (s); if (s1 == null) {return null;} else {return cleanxss (cleanSqlyject (s1));}} string {return cleanxss (cleanSqlyject (s1));} = src; system.out.println ("xss --- temp->"+src); src = src.replaceall ("<", "<"). Replaceall (">", ">"); // if (src.indexOf ("alamat") ==-1) // {src = src.replaceall ("// (", "(") .replaceall ("//)", "); //} src = src.replaceall (" "" "" "" "" "" "" "" " Pola pola = pola.compile ("(eval //((.*)///) | skrip)", pola.case_insensitive); Pencocokan pencocokan = pola.matcher (src); src = matcher.replaceall (""); Pattern = Pattern.Compile ("[///" // '] [// S]*JavaScript: (.*) [/// "//']", Pattern.case_insensitive); pencocokan = pola.matcher (src); src = matcher.replaceall ("/"/""); // 增加脚本 src = src.replaceall ("skrip", "") .replaceall (";", "") .replaceall ("/" "," ") .replaceall ("@"," ") .replaceall (" 0x0d "," ") .replaceLac0l (" 0x0d "," ") .replaceLac0l (" 0x0d "," ") .replaceLac0l (" 0x0d "," ") .replaceLac0l (" 0x0d "," ") .Replac0l (" 0x0d "," "). "") .replaceall (",", ""); if (! Temp.equals (src)) {System.out.println ("输入信息存在 xss 攻击!"); System.out.println ("原始输入信息-需要增加通配 需要增加通配 需要增加通配}}} cleansqlinject (string src) {string temp = src; "Forbida") .replaceall ("atau", "forbido");xml : :
<nilter> <nilter-name> xssfilter </tiler-name> <nilter-class> cn.com.jsoft.xss.xssfilter </filter-class> <inin-param> <param-name> encoding </param-name> <par AM-VALUE> UTF-8 </param-value> </it-param> </tilter> <nilter-Mapping> <nilter-name> xssfilter </filter-name> <ratl-pola>/*</rucpat pola> </filter-mapping>
以上代码仅仅将特殊的 sql 字符 , 特殊 skrip 脚本字符处理掉 , 具体的页面处理还需要后台处理!!
关于这篇 Java 过滤器 Filter 防 SQL 注入的实现代码就是小编分享给大家的全部内容了 , 希望能给大家一个参考 , 也希望大家多多支持武林网。