xss filter

package com.dep.aop;import java.util.HashMap;import java.util.Iterator;import java.util.Map;import java.util.Map.Entry;import java.util.Set;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;/** * 拦截防止sql注入  * @author wb_zypt * */public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {HttpServletRequest orgRequest = null;public XssHttpServletRequestWrapper(HttpServletRequest request) {super(request);orgRequest = request;}/*** 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/>* 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖*/@Overridepublic String getParameter(String name) {String value = super.getParameter(xssEncode(name));if (value != null) {value = xssEncode(value);}if(value == null){value = (String)getParameterMap().get(name);}return value;}@Override@SuppressWarnings("unchecked")public Map getParameterMap() {Map newParams  = new HashMap();Map params = super.getParameterMap();/*for(Object entry : params.entrySet()){String key  =  (String)((Entry)entry).getKey();//前台对应的key值Object dbName = ((Entry)entry).getValue();//数据库描述字段newParams.put(key, dbName);if(dbName instanceof String){newParams.put(key, xssEncode((String)dbName));}else if(dbName.getClass() == String[].class){newParams.put(key, xssEncode((String[])dbName));}}*/Set<String> keySet = params.keySet();        for (Iterator iterator = keySet.iterator(); iterator.hasNext();) {            String key = (String) iterator.next();            String[] str = (String[]) params.get(key);            newParams.put(key, xssEncode((String[])str));             }return newParams;}public String[] getParameterValues(String parameter) {      String[] values = super.getParameterValues(parameter);      if (values==null)  {                  return null;          }      int count = values.length;      String[] encodedValues = new String[count];      for (int i = 0; i < count; i++) {                 encodedValues[i] = xssEncode(values[i]);       }      return encodedValues;    }/*** 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>* 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/>* getHeaderNames 也可能需要覆盖*/@Overridepublic String getHeader(String name) {String value = super.getHeader(xssEncode(name));if (value != null) {value = xssEncode(value);}return value;}private static String[] xssEncode(String[] s) {String[] newStr = new String[s.length];for(int i=0;i<s.length;i++){newStr[i]= xssEncode(s[i]);}return newStr;}/*** 将容易引起xss漏洞的半角字符直接替换成全角字符** @param s* @return*/private static String xssEncode(String s) {if (s == null || "".equals(s)) {return s;}StringBuilder sb = new StringBuilder(s.length() + 16);for (int i = 0; i < s.length(); i++) {char c = s.charAt(i);switch (c) {case '>':sb.append('＞');//全角大于号break;case '<':sb.append('＜');//全角小于号break;case '\'':sb.append('‘');//全角单引号break;case '\"':sb.append('“');//全角双引号break;case '&':sb.append('＆');//全角break;case '\\':sb.append('＼');//全角斜线break;case '#':sb.append('＃');//全角井号break;default:sb.append(c);break;}}return sb.toString();}/*** 获取最原始的request** @return*/public HttpServletRequest getOrgRequest() {return orgRequest;}/*** 获取最原始的request的静态方法** @return*/public static HttpServletRequest getOrgRequest(HttpServletRequest req) {if (req instanceof XssHttpServletRequestWrapper) {return ((XssHttpServletRequestWrapper) req).getOrgRequest();}return req;}}