java web 利用filter 防止 Xss 攻击（1）

<!--@分隔 -->    <filter>        <filter-name>xssFilter</filter-name>        <filter-class>com.yoro.core.web.XssFilter</filter-class>        <init-param>            <param-name>SplitChar</param-name>            <param-value>@</param-value>        </init-param>        <init-param>            <param-name>FilterChar</param-name>            <param-value>>@<@\'@\"@\\@#@(@)</param-value>//但大于号在xml不行，需要注意        </init-param>        <init-param>            <param-name>ReplaceChar</param-name>            <param-value>＞'@＜@‘@“@＼@＃@（@）</param-value>        </init-param>    </filter> <filter-mapping>        <filter-name>xssFilter</filter-name>  <url-pattern>/*</url-pattern>    </filter-mapping>

package com.yoro.core.web;/** * @author zoro */import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class XssFilter implements Filter {    private String filterChar;    private String replaceChar;    private String splitChar;    FilterConfig filterConfig = null;    public void init(FilterConfig filterConfig) throws ServletException {        this.filterChar=filterConfig.getInitParameter("FilterChar");        this.replaceChar=filterConfig.getInitParameter("ReplaceChar");        this.splitChar=filterConfig.getInitParameter("SplitChar");        this.filterConfig = filterConfig;    }    public void destroy() {        this.filterConfig = null;    }    public void doFilter(ServletRequest request, ServletResponse response,    FilterChain chain) throws IOException, ServletException {        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request,filterChar,replaceChar,splitChar), response);    }}

package com.yoro.core.web;import java.io.UnsupportedEncodingException;import java.net.URLDecoder;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;/** * @author zoro */public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {    private String[]filterChars;    private String[]replaceChars;    public XssHttpServletRequestWrapper(HttpServletRequest request,String filterChar,String replaceChar,String splitChar) {        super(request);        if(filterChar!=null&&filterChar.length()>0){            filterChars=filterChar.split(splitChar);        }        if(replaceChar!=null&&replaceChar.length()>0){            replaceChars=replaceChar.split(splitChar);        }    }    public String getQueryString() {        String value = super.getQueryString();        if (value != null) {            value = xssEncode(value);        }        return value;    }    /**     * 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/>     * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖     */    public String getParameter(String name) {        String value = super.getParameter(xssEncode(name));        if (value != null) {            value = xssEncode(value);        }        return value;    }    public String[] getParameterValues(String name) {        String[]parameters=super.getParameterValues(name);        if (parameters==null||parameters.length == 0) {            return null;        }        for (int i = 0; i < parameters.length; i++) {            parameters[i] = xssEncode(parameters[i]);        }        return parameters;    }    /**     * 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>     * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/> getHeaderNames 也可能需要覆盖     */    public String getHeader(String name) {        String value = super.getHeader(xssEncode(name));        if (value != null) {            value = xssEncode(value);        }        return value;    }    /**     * 将容易引起xss漏洞的半角字符直接替换成全角字符     *      * @param s     * @return     */    private  String xssEncode(String s) {        if (s == null || s.equals("")) {            return s;        }        try {            s = URLDecoder.decode(s, "UTF-8");        } catch (UnsupportedEncodingException e) {            e.printStackTrace();        }        for (int i = 0; i < filterChars.length; i++) {            if(s.contains(filterChars[i])){                s=s.replace(filterChars[i], replaceChars[i]);            }        }        return s;    }}