创建拦截器
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
public class XssFilter implements Filter {
List<String> prefixIignores = new ArrayList<>();
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("xss过滤器的初始化操作");
//对应web.xml中init-param标签体内容,放行的请求
String ignoresParam = filterConfig.getInitParameter("ignores");
String[] ignoreArray = ignoresParam.split(",");
for (String s : ignoreArray) {
prefixIignores.add(s.trim());
}
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
if (canIgnore(req)){
chain.doFilter(request,response);
}else {
XssWarper xssWarper = new XssWarper(req);
//放行
chain.doFilter(xssWarper, response);
}
}
@Override
public void destroy() {
System.out.println("xss过滤器的销毁");
}
private boolean canIgnore(HttpServletRequest request) {
String url = request.getRequestURI();
for (String ignore : prefixIignores) {
if (url.endsWith(ignore)) {
return true;
}
}
return false;
}
} 创建XssWarper
import cn.jiguang.common.utils.StringUtils; import org.springframework.web.util.HtmlUtils; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.IOException; import java.util.HashMap; import java.util.Map; public class XssWarper extends HttpServletRequestWrapper { private Map<String , String[]> params = new HashMap<String, String[]>(); // 用于存储请求参数 private ServletInputStream servletInputStream = null; /** * @Method content 富文本内容 * @Author MC 不进行处理的params * @Return * @Date 2019/11/25 0025 9:55 */ private String noCheckParamsStr = "content"; private HttpServletRequest request; public XssWarper(HttpServletRequest request) { super(request); this.request = request; this.params.putAll(request.getParameterMap()); } /** * 重载一个构造方法 * @param request * @param extendParams */ public XssWarper(HttpServletRequest request , Map<String , String[]> extendParams) throws IOException { this(request); for (String key: extendParams.keySet()) { String val = this.getParameter(key); if (StringUtils.isNotEmpty(val)){ extendParams.put(key,new String[]{val}); } } addAllParameters(extendParams); } @Override public String getParameter(String name) { if(noCheckParamsStr.indexOf(name) != -1){ return super.getParameter(name); } String val = request.getParameter(name); if(StringUtils.isNotEmpty(val)){ val = HtmlUtils.htmlEscape(val); // 将所有传递进来的String进行HTML编码,防止XSS攻击 } return val; } @Override public String[] getParameterValues(String name) { return params.get(name); } public void addAllParameters(Map<String , String[]> otherParams) { for(Map.Entry<String , String[]>entry : otherParams.entrySet()) { addParameter(entry.getKey() , entry.getValue()); } } public void addParameter(String name , Object value) { if(value != null) { if(value instanceof String[]) { params.put(name , (String[])value); }else if(value instanceof String) { params.put(name , new String[] {(String)value}); }else { params.put(name , new String[] {String.valueOf(value)}); } } } }
web.xml中注册过滤器,请注意与其他过滤器的先后顺序
<filter> <filter-name>xssFilter</filter-name> <filter-class>com.jeeplus.common.filter.XssFilter</filter-class> <init-param> <param-name>ignores</param-name> <param-value> /core/sysAppVersion/uploader, /app/fileUpload/upload </param-value> </init-param> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>