实例如下:
XSSFilter.java
public void doFilter(ServletRequest servletrequest,ServletResponse servletresponse, FilterChain filterchain)throws IOException, ServletException {//flag = true 只做URL验证; flag = false 做所有字段的验证;boolean flag = true;if(flag){//只对URL做xss校验HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;String requesturi = httpServletRequest.getRequestURL().toString();requesturi = URLDecoder.decode(requesturi, "UTF-8");if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){filterchain.doFilter(servletrequest, servletresponse);return;}if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){filterchain.doFilter(servletrequest, servletresponse);return;}if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){filterchain.doFilter(servletrequest, servletresponse);return ;}if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){filterchain.doFilter(servletrequest, servletresponse);return ;}RequestWrapper rw = new RequestWrapper(httpServletRequest);String param = httpServletRequest.getQueryString();if(!"".equals(param) && param != null) {param = URLDecoder.decode(param, "UTF-8");String originalurl = requesturi + param;String sqlParam = param;//添加sql注入的判断if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){sqlParam = rw.cleanSQLInject(param);}String xssParam = rw.cleanXSS(sqlParam);requesturi += "?"+xssParam;if(!xssParam.equals(param)){System.out.println("requesturi::::::"+requesturi);httpServletResponse.sendRedirect(requesturi);System.out.println("no entered.");//filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);return ;}}filterchain.doFilter(servletrequest, servletresponse);}else{//对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);}}requestMapping: public RequestWrapper(){super(null);}public RequestWrapper(HttpServletRequest httpservletrequest) {super(httpservletrequest);}public String[] getParameterValues(String s) {String str[] = super.getParameterValues(s);if (str == null) {return null;}int i = str.length;String as1[] = new String[i];for (int j = 0; j < i; j++) {as1[j] = cleanXSS(cleanSQLInject(str[j]));}return as1;}public String getParameter(String s) {String s1 = super.getParameter(s);if (s1 == null) {return null;} else {return cleanXSS(cleanSQLInject(s1));}}public String getHeader(String s) {String s1 = super.getHeader(s);if (s1 == null) {return null;} else {return cleanXSS(cleanSQLInject(s1));}}public String cleanXSS(String src) {String temp =src;System.out.println("xss---temp-->"+src); src = src.replaceAll("<", "<").replaceAll(">", ">"); // if (src.indexOf("address")==-1)//{ src = src.replaceAll("//(", "(").replaceAll("//)", ")");//} src = src.replaceAll("'", "'"); Pattern pattern=Pattern.compile("(eval//((.*)//)|script)",Pattern.CASE_INSENSITIVE); Matcher matcher=pattern.matcher(src); src = matcher.replaceAll(""); pattern=Pattern.compile("[///"//'][//s]*javascript:(.*)[///"//']",Pattern.CASE_INSENSITIVE); matcher=pattern.matcher(src); src = matcher.replaceAll("/"/""); //增加脚本 src = src.replaceAll("script", "").replaceAll(";", "") .replaceAll("/"", "").replaceAll("@", "") .replaceAll("0x0d", "") .replaceAll("0x0a", "").replaceAll(",", "");if(!temp.equals(src)){System.out.println("输入信息存在xss攻击!");System.out.println("原始输入信息-->"+temp);System.out.println("处理后信息-->"+src);}return src;}//需要增加通配,过滤大小写组合public String cleanSQLInject(String src) {String temp =src; src = src.replaceAll("insert", "forbidI") .replaceAll("select", "forbidS") .replaceAll("update", "forbidU") .replaceAll("delete", "forbidD") .replaceAll("and", "forbidA") .replaceAll("or", "forbidO"); if(!temp.equals(src)){System.out.println("输入信息存在SQL攻击!");System.out.println("原始输入信息-->"+temp);System.out.println("处理后信息-->"+src);}return src;}xml配置:
<filter><filter-name>XssFilter</filter-name><filter-class>cn.com.jsoft.xss.XSSFilter</filter-class><init-param><param-name>encoding</param-name><param-value>UTF-8</param-value></init-param></filter><filter-mapping><filter-name>XssFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping>
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!
关于这篇java 过滤器filter防sql注入的实现代码就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持武林网。