当先锋百科网

首页 1 2 3 4 5 6 7

创建拦截器

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;


public class XssFilter implements Filter {

    List<String> prefixIignores = new ArrayList<>();

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        System.out.println("xss过滤器的初始化操作");
//对应web.xml中init-param标签体内容,放行的请求
        String ignoresParam = filterConfig.getInitParameter("ignores");
        String[] ignoreArray = ignoresParam.split(",");
        for (String s : ignoreArray) {
            prefixIignores.add(s.trim());
        }
    }
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;

        if (canIgnore(req)){
            chain.doFilter(request,response);
        }else {
            XssWarper xssWarper = new XssWarper(req);
            //放行
            chain.doFilter(xssWarper, response);
         
        }

}
    @Override
    public void destroy() {
        System.out.println("xss过滤器的销毁");
    }



    private boolean canIgnore(HttpServletRequest request) {
        String url = request.getRequestURI();
        for (String ignore : prefixIignores) {
            if (url.endsWith(ignore)) {
                return true;
            }
        }
        return false;
    }
}

创建XssWarper

 

import cn.jiguang.common.utils.StringUtils;
import org.springframework.web.util.HtmlUtils;

import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;


public class XssWarper  extends HttpServletRequestWrapper {
    private Map<String , String[]> params = new HashMap<String, String[]>(); // 用于存储请求参数
    private ServletInputStream servletInputStream = null;

    /**
     * @Method content 富文本内容
     * @Author MC
     不进行处理的params
     * @Return
     * @Date 2019/11/25 0025 9:55
     */
    private String noCheckParamsStr = "content";

    private HttpServletRequest request;

    public XssWarper(HttpServletRequest request) {
        super(request);
        this.request = request;
        this.params.putAll(request.getParameterMap());
    }

    /**
     * 重载一个构造方法
     * @param request
     * @param extendParams
     */
    public XssWarper(HttpServletRequest request , Map<String , String[]> extendParams) throws IOException {
        this(request);
        for (String key: extendParams.keySet()) {
            String val = this.getParameter(key);
            if (StringUtils.isNotEmpty(val)){
                extendParams.put(key,new String[]{val});
            }
        }
        addAllParameters(extendParams);
    }

    @Override
    public String getParameter(String name) {
        if(noCheckParamsStr.indexOf(name) != -1){
            return super.getParameter(name);
        }
        String val = request.getParameter(name);
        if(StringUtils.isNotEmpty(val)){
            val = HtmlUtils.htmlEscape(val); // 将所有传递进来的String进行HTML编码,防止XSS攻击
        }
        return val;
    }

    @Override
    public String[] getParameterValues(String name) {
        return params.get(name);
    }


    public void addAllParameters(Map<String , String[]> otherParams) {
        for(Map.Entry<String , String[]>entry : otherParams.entrySet()) {
            addParameter(entry.getKey() , entry.getValue());
        }
    }

    public void addParameter(String name , Object value) {
        if(value != null) {
            if(value instanceof String[]) {
                params.put(name , (String[])value);
            }else if(value instanceof String) {
                params.put(name , new String[] {(String)value});
            }else {
                params.put(name , new String[] {String.valueOf(value)});
            }
        }
    }
}

web.xml中注册过滤器,请注意与其他过滤器的先后顺序

 

<filter>
  <filter-name>xssFilter</filter-name>
  <filter-class>com.jeeplus.common.filter.XssFilter</filter-class>
    <init-param>
        <param-name>ignores</param-name>
        <param-value>
          /core/sysAppVersion/uploader,
          /app/fileUpload/upload
        </param-value>
    </init-param>
</filter>
<filter-mapping>
  <filter-name>xssFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>