java 过滤器
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import com.soufun.wap.servlet.XSSRequestWrapper;
public class SqlXssFilter implements Filter {
private FilterConfig config = null; //配置文件(可以从 web中获取参数)
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.config = filterConfig;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
//对不是 get请求和post 请求 进行拦截
if(!(req.getMethod().equalsIgnoreCase("get")||req.getMethod().equalsIgnoreCase("post"))) { //
return;
}
chain.doFilter(new XSSRequestWrapper(req), response); //放行
}
public void destroy() {
}
/**
* 获取敏感字
* 在 web.xml 中获取获取敏感字符所在的路径
* 在把它变为流 读进集合里面
*/
private List
getDirtyWords(){
List
dirtyWords = new ArrayList
(); String dirtyWordPath = config.getInitParameter("dirtyWord"); //获取参数值 InputStream inputStream = config.getServletContext().getResourceAsStream(dirtyWordPath); //传入路径变为流 InputStreamReader is = null; try { is = new InputStreamReader(inputStream,"UTF-8"); //把流转换为utf-8编码 } catch (UnsupportedEncodingException e2) { e2.printStackTrace(); } BufferedReader reader = new BufferedReader(is); String line; try { while ((line = reader.readLine())!= null) {//如果 line为空说明读完了 dirtyWords.add(line); //把敏感字符丢进集合里面 } } catch (IOException e) { e.printStackTrace(); } return dirtyWords; } }
装饰着模式 重写httpservlet中的方法
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import mons.lang.StringEscapeUtils;
public class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
/*
*重写getParameterValues方法
*/
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter); //调用父类getParameterValues 获取原始值
if ("pageChildren".equals(parameter)) { //对原始值进行判断做出选择
return values;
}
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count]; //创建一个字符数组
for (int i = 0; i < count; i++) {
encodedValues[i] = stripXSS(values[i]); //循坏替换 值中的关键字
}
return encodedValues;
}
/*
*重写getParameter方法方法
*/
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter); //调用父类获取原始值
return stripXSS(value); //替换
}
/*
*对值中的关键字进行替换
*/
private String stripXSS(String value) {
if (null != value) {
value = value.replaceAll("", ">");
value = value.replaceAll("\\(", "(").replaceAll("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
value = StringEscapeUtils.escapeSql(value);
}
return value;
}
}
web.xml
sqlXssFilter
com.soufun.wap.filter.SqlXssFilter
dirtyWord
/WEB-INF/DirtyWord.txt
sqlXssFilter
/*