实例如下
Xssfilter.java
Public void Dofilter (servletRequest servletRequest, servletResponse servletResponse, filterchain filterhain) lança ioexception, servletexception {// sinalizador = true 只做 url 验证; sinalizador = false 做所有字段的验证; bandeira booleana = true; if (flag) {// 只对 url 做 xss 校验 httpServletRequest httpServletReQuest = (httpServleTrequest) servletRequest; httpServletResponsensensensensensonsensonsensensense = (hTPSTPRESTLeSTLeSTletReSponsensensensensensensonsensensensensensensensensensensenserTeStletReStLeSterLeSponsensensensensensonsensensensensensensension httpServletRequest.getRequesturl (). tostring (); requesturi = urldecoder.decode (requesturi, "utf-8"); if (requesturi! servletResponse); return;} if (requesturi! = null && requesturi.indexOf ("account_bank_return.html")! =-1) {filtrhain.dofilter (servletRequest, servletResponse); return;} if (requesturi! = null && requesturi.indexof ("/alipay/ativity.html")! =-1) {filtrhain.dofilter (servletRequest, servletResponse); retornar ;} if (requesturi! = null && requesturi.indexof ("/alipayLogin.html")! =-1) {filterchain.dofilter (servletRequest, servletResponse); return;} requestwrapper rw = new requestWrapper (htttserPlerequest); string; httpServletRequest.getQueryString (); if (! "". Equals (param) && param! = null) {param = urldecoder.decode (param, "utf-8"); string originalurl = requesturi + param; sqlparam = param; // 添加 sql 注入的判断 se (request.Teri. requestURI.endSwith ("/membro/respondido.html")) {sqlparam = rw.cleansqlinject (param);} string xssparam = rw.cleanxss (sqlparam); requesturi += = "?"+xssparam; if (! xssparam.equals (param)) {System.out.println ("requesturi ::::::"+requesturi); httpServletResponse.sendRedirect (requesturi); system.out.println ("não ented."); servletRequest), servletResponse); return;}} filterchain.dofilter (servletRequest, servletResponse);} else {// 对请求中的所有东西都做校验 , 包括表单。此功能校验比较严格容易屏蔽表单正常输入 , 使用此功能请注意。filterChain.Dofilter (NewWraper (htttpsleTrequest) »ServleTreleTreTreTRePestr (servlestRepRestRepRestR); RequestWrapper () {super (null);} public requestWrapper (httpServLeTrequest httpServletRequest) {super (httpServletRequest);} public string [] getParameTerValues (string s) {str [] = = Super.GetParameTalues (s) se (s); AS1 [] = new String [i]; para (int j = 0; j <i; j ++) {AS1 [J] = CleanXSS (CleanSQLinject (str [j]));} retornar as1;} public string getParameter (string s) {string s1 = super.GetParParPeTeter (S); se (s1 === null) {String S1 =. CleanXSS (CleanSQLinject (S1));}} public String getheader (String s) {String S1 = super.getheader (s); if (s1 == null) {return null;} else {return cleanXSS (cleanSqject (s1));}} string cleanXs (string string string (srclinject); = src; system.out.println ("xss --- temp->"+src); src = src.replaceall ("<", "<"). replaceall (">", ">"); // if (src.indexof ("endereço") ==-1) // {src = src.replaceall ("// (", "(") .replaceall ("//)", ")"); //} src = src.replaceall ("'"); Padrão padrão = padrony.compile ("(avaliar //(.*.*)//) | Script)", Pattern.Case_insensitive); Matcher Matcher = Pattern.Matcher (SRC); src = matcher.replaceall (""); padrão = padrão.compile ("[///" // '] [// s]*javascript: (.*) [/// "//']", padrony.case_insensitive); Matcher = Pattern.Matcher (SRC); src = matcher.Replaceall ("/"/""); // 增加脚本 src = src.Replaceall ("script", "") .replaceall (";", "") .replaceall ("/" "," ") .replaceAll ("@"") .replaceall ("0x0d", "") .replaceLl (" ""); if (! temp.equals (src)) {system.out.println ("输入信息存在 xss 攻击!"); system.out.println ("原始输入信息->"+temp); string.out.println ("处理后信息-"+src); = src; if (! temp.equals (src)) {system.out.println ("输入信息存在 sql 攻击!"); system.out.println ("原始输入信息->"+temp); system.out.println ("处理后信息->"+src);} retorna src;}XML 配置:
<filter> <filter-name> xssfilter </filter-name> <filter-class> cn.com.jsoft.xss.xssfilter </filter-class> <iit-param> <amam-name> codificação </amam-name> <par AM-VALUE> UTF-8 </param-value> </irit-param> </filter> <filter-Mapping> <filter-name> xssfilter </ftrid-Name> <url-Pattern>/*</url-pattern> </ftrid-Mapping>
以上代码仅仅将特殊的 sql 字符 , 特殊 script 脚本字符处理掉 , 具体的页面处理还需要后台处理!!
关于这篇 Java 过滤器 filtro 防 SQL 注入的实现代码就是小编分享给大家的全部内容了 , 希望能给大家一个参考 , 也希望大家多多支持武林网。