publicvoid doFilter(ServletRequest servletrequest,
ServletResponse servletresponse, FilterChain filterchain)
throwsIOException, ServletException {
booleanflag = true;
if(flag){
HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;
String requesturi = httpServletRequest.getRequestURL().toString();
requesturi = URLDecoder.decode(requesturi, "UTF-8");
if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){
filterchain.doFilter(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){
filterchain.doFilter(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){
filterchain.doFilter(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){
filterchain.doFilter(servletrequest, servletresponse);
return;
}
RequestWrapper rw = newRequestWrapper(httpServletRequest);
String param = httpServletRequest.getQueryString();
if(!"".equals(param) && param != null) {
param = URLDecoder.decode(param, "UTF-8");
String originalurl = requesturi + param;
String sqlParam = param;
if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){
sqlParam = rw.cleanSQLInject(param);
}
String xssParam = rw.cleanXSS(sqlParam);
requesturi += "?"+xssParam;
if(!xssParam.equals(param)){
System.out.println("requesturi::::::"+requesturi);
httpServletResponse.sendRedirect(requesturi);
System.out.println("no entered.");
return;
}
}
filterchain.doFilter(servletrequest, servletresponse);
}else{
filterchain.doFilter(newRequestWrapper((HttpServletRequest) servletrequest), servletresponse);
}
}
requestMapping:
publicRequestWrapper(){
super(null);
}
publicRequestWrapper(HttpServletRequest httpservletrequest) {
super(httpservletrequest);
}
publicString[] getParameterValues(String s) {
String str[] = super.getParameterValues(s);
if(str == null) {
returnnull;
}
inti = str.length;
String as1[] = newString[i];
for(intj = 0; j < i; j++) {
as1[j] = cleanXSS(cleanSQLInject(str[j]));
}
returnas1;
}
publicString getParameter(String s) {
String s1 = super.getParameter(s);
if(s1 == null) {
returnnull;
}else{
returncleanXSS(cleanSQLInject(s1));
}
}
publicString getHeader(String s) {
String s1 = super.getHeader(s);
if(s1 == null) {
returnnull;
}else{
returncleanXSS(cleanSQLInject(s1));
}
}
publicString cleanXSS(String src) {
String temp =src;
System.out.println("xss---temp-->"+src);
src = src.replaceAll("<","<").replaceAll(">",">");
src = src.replaceAll("\\(","(").replaceAll("\\)",")");
src = src.replaceAll("'","'");
Pattern pattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE);
Matcher matcher=pattern.matcher(src);
src = matcher.replaceAll("");
pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE);
matcher=pattern.matcher(src);
src = matcher.replaceAll("\"\"");
src = src.replaceAll("script","").replaceAll(";","")
.replaceAll("\"","").replaceAll("@","")
.replaceAll("0x0d","")
.replaceAll("0x0a","").replaceAll(",","");
if(!temp.equals(src)){
System.out.println("输入信息存在xss攻击!");
System.out.println("原始输入信息-->"+temp);
System.out.println("处理后信息-->"+src);
}
returnsrc;
}
publicString cleanSQLInject(String src) {
String temp =src;
src = src.replaceAll("insert","forbidI")
.replaceAll("select","forbidS")
.replaceAll("update","forbidU")
.replaceAll("delete","forbidD")
.replaceAll("and","forbidA")
.replaceAll("or","forbidO");
if(!temp.equals(src)){
System.out.println("输入信息存在SQL攻击!");
System.out.println("原始输入信息-->"+temp);
System.out.println("处理后信息-->"+src);
}
returnsrc;
}
