实例如下:
xssfilter.java
public void dofilter(servletrequest servletrequest、servletresponse servletResponse、filterchain filterchain)IoException、servletexception {// flag = true只做url验证; flag = false做所有字段的验证; boolean flag = true; if(flag){// httpservletrequest.getRequesturl()。toString(); requesturi = urldecoder.decode(requesturi、 "utf-8"); if(requesturi!= null && requesturi.indexof( "alipay_hotel_book_return.html")! servletresponse); return;} if(requesturi!= null && requesturi.indexof( "account_bank_return.html") servletresponse); return;} if(requesturi!= null && requesturi.indexof( "/alipay/activity.html")!= -1){filterchain.dofilter(servletrequest、servletresponse); return; ;} if(requesturi!= null && requesturi.indexof( "/alipaylogin.html") httpservletrequest.getquerystring(); if(! ""。equals(param)&& param!= null){param = urldecoder.decode(param、 "utf-8"); string originalurl = requesturi + param; string sqlparam = param; // requesturi.endswith( "/member/answer.html")){sqlparam = rw.cleansqlinject(param);} string xssparam = rw.cleanxss(sqlparam); requesturi += "?"+xssparam; if(!xssparam.equals(param)){system.out.println( "requesturi :::::::"+requesturi); httpservletresponse.sendredirect(requesturi); system.out.println( "no ented requestwrapper((httpservletrequest)servletrequest)、servletResponse); return;}} filterchain.dofilter(servletrequest、servletresponse);} else {// servletResponse);}} requestMapping:public requestwrapper(){super(null);} public requestwrapper(httpservletrequest httpservletrequest){super(httpservletrequest);} public string [] getparametervalues(string str [] = super.getparametervalues {return null;} int i = str.length; string as1 [] = new string [i]; for(int j = 0; j <i; j ++){as1 [j] = cleanxss(cleansqlinject(str [j]);} return as1;} public string getParameter(string s){string s1 = return null(s); null;} else {return cleanxss(cleansqlinject(s1));}} public string getheader(string s1 = super.getheader(s); if(s1 == null){return null;} els {return cleanxss(s1);} public string clean string string(cleansqlinject(s1); = src; system.out.println( "xss --- temp->"+src); src = src.replaceall( "<"、 "<")。fallingeall( ">"、 ">"); // if(src.indexof( "address")== -1)// {src = src.replaceall( "//("、 "(").replaceall( "//)"、 "); //} src = src.replaceall(" '' ");パターンパターン= pattern.compile( "(eval //((((–./)| script)"、pattern.case_insensivity); matcher matcher = pattern.matcher(src); src = matcher.replaceall( ""); pattern = pattern.compile( "[///" // '] [// s]*javascript :(。*)[/// "//']、pattern.case_insensitive); matcher = pattern.matcher(src); src = matcher.replaceall( "/"/""); // src = src.replaceall( "script"、 "").replaceall( ";"、 "").replaceall( "/" "、").replaceall( "@"、 "").ReplaceAll( "0x0d"、 ").ReplacealLL "").replaceall( "、"、 "、" "); if(!temp.equals(src)){system.out.println("输入信息存在xss 攻击! "); system.out.println("原始输入信息 - > "+temp); system.out.print.println(" cleansqlinject(string src){string temp = src = src.replaceall( "insert"、 "forbidi").replaceall( "forbids").replaceall( "update"、 "forbidu").replaceall "forbida").replaceall( "or"、 "forbido");XML配置:
<filter> <filter-name> xssfilter </filter-name> <filter-class> cn.com.jsoft.xss.xssfilter </filter-class> <init-param> <param-name> encoding </param-name> <par am-value> utf-8 </param-value> </init-param> </filter> <filter-mapping> <filter-name> xssfilter </filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
以上代码仅仅将特殊的sql字符、特殊スクリプト脚本字符处理掉、具体的页面处理还需要后台处理!!
关于这篇java