配置拦截器防xss和sql注入

关于xss和sql注入的介绍，可参考https://www.cnblogs.com/ITtangtang/p/3982297.html，里面有介绍。这里介绍项目中如何过滤用户提交的数据。

1. web.xml配置拦截器

自定义一个实现了Filter接口的类XssAndSqlFilter。这个类用来实现具体的参数替换逻辑。

<!-- 防XSS和sql注入漏洞       开始  -->    <filter>          <filter-name>xssAndSqlFilter</filter-name>          <filter-class>com.lancy.web.filter.XssAndSqlFilter</filter-class>      </filter>      <filter-mapping>          <filter-name>xssAndSqlFilter</filter-name>          <url-pattern>*</url-pattern>      </filter-mapping>    <!-- 防XSS和sql注入漏洞       结束-->

2. 编写自定义拦截器类，实现Filter接口

package com.lancy.web.filter;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import com.lancy.web.request.XssAndSqlHttpServletRequestWrapper;/**   * @Title: XssAndSqlFilter.java * @Description: 防XSS和sql注入漏洞   filter * @date 2017年9月7日 下午6:59:23 * @version V1.0   */public class XssAndSqlFilter  implements Filter {      @Override      public void destroy() {          // TODO Auto-generated method stub      }      @Override      public void init(FilterConfig arg0) throws ServletException {          // TODO Auto-generated method stub      }    @Override    public void doFilter(ServletRequest request, ServletResponse response,            javax.servlet.FilterChain chain) throws IOException,            ServletException {        //此类继承了HttpServletRequestWrapper，可以对请求参数进行过滤        XssAndSqlHttpServletRequestWrapper xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request);          chain.doFilter(xssRequest, response);      }   }

3. 继承HttpServletRequestWrapper，实现请求参数的过滤

这一步是最主要的，是业务逻辑的主要实现部分，封装了HttpServletRequest请求，是装饰模式。

package com.lancy.web.request;import java.util.regex.Pattern;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletRequestWrapper;  /**   * @Title: XssAndSqlHttpServletRequestWrapper.java * @Description: TODO * @version V1.0   */public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {    HttpServletRequest orgRequest = null;    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {        super(request);        orgRequest = request;    }    /**    * 覆盖getParameter方法，将参数名和参数值都做xss & sql过滤。<br/>    * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>    * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖    */    @Override    public String getParameter(String name) {        String value = super.getParameter(xssEncode(name));        if (value != null) {            value = xssEncode(value);        }        return value;    }    /**    * 覆盖getHeader方法，将参数名和参数值都做xss & sql过滤。<br/>    * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/>    * getHeaderNames 也可能需要覆盖    */    @Override    public String getHeader(String name) {        String value = super.getHeader(xssEncode(name));        if (value != null) {            value = xssEncode(value);        }        return value;    }    /**    * 将容易引起xss & sql漏洞的半角字符直接替换成全角字符    *     * @param s    * @return    */    private static String xssEncode(String s) {        if (s == null || s.isEmpty()) {            return s;        }else{            s = stripXSSAndSql(s);        }        StringBuilder sb = new StringBuilder(s.length() + 16);        for (int i = 0; i < s.length(); i++) {            char c = s.charAt(i);            switch (c) {            case '>':                sb.append("＞");// 转义大于号                break;            case '<':                sb.append("＜");// 转义小于号                break;            case '\'':                sb.append("＇");// 转义单引号                break;            case '\"':                sb.append("＂");// 转义双引号                break;            case '&':                sb.append("＆");// 转义&                break;            case '#':                sb.append("＃");// 转义#                break;            default:                sb.append(c);                break;            }        }        return sb.toString();    }    /**    * 获取最原始的request    *     * @return    */    public HttpServletRequest getOrgRequest() {        return orgRequest;    }    /**    * 获取最原始的request的静态方法    *     * @return    */    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {        if (req instanceof XssAndSqlHttpServletRequestWrapper) {            return ((XssAndSqlHttpServletRequestWrapper) req).getOrgRequest();        }        return req;    }    /**    *     * 防止xss跨脚本攻击（替换，根据实际情况调整）    */    public static String stripXSSAndSql(String value) {        if (value != null) {            // NOTE: It's highly recommended to use the ESAPI library and            // uncomment the following line to            // avoid encoded attacks.            // value = ESAPI.encoder().canonicalize(value);            // Avoid null characters  /**         value = value.replaceAll("", "");***/            // Avoid anything between script tags            Pattern scriptPattern = Pattern.compile("<[\r\n| | ]*script[\r\n| | ]*>(.*?)</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid anything in a src="http://www.yihaomen.com/article/java/..." type of e-xpression            scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // Remove any lonesome </script> tag            scriptPattern = Pattern.compile("</[\r\n| | ]*script[\r\n| | ]*>", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // Remove any lonesome <script ...> tag            scriptPattern = Pattern.compile("<[\r\n| | ]*script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid eval(...) expressions            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid e-xpression(...) expressions            scriptPattern = Pattern.compile("e-xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid javascript:... expressions            scriptPattern = Pattern.compile("javascript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid vbscript:... expressions            scriptPattern = Pattern.compile("vbscript[\r\n| | ]*:[\r\n| | ]*", Pattern.CASE_INSENSITIVE);            value = scriptPattern.matcher(value).replaceAll("");            // Avoid onload= expressions            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);            value = scriptPattern.matcher(value).replaceAll("");           value = value.trim();      }        return value;    }  }  

关于HttpServletRequestWrapper的用法可参考
https://www.cnblogs.com/harryV/p/3679842.html
http://blog.csdn.net/it_man/article/details/7556903