public
void
doFilter(ServletRequest servletrequest,
ServletResponse servletresponse, FilterChain filterchain)
throws
IOException, ServletException {
boolean
flag =
true
;
if
(flag){
HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;
String requesturi = httpServletRequest.getRequestURL().toString();
requesturi = URLDecoder.decode(requesturi,
"UTF-8"
);
if
(requesturi!=
null
&&requesturi.indexOf(
"alipay_hotel_book_return.html"
)!=-
1
){
filterchain.doFilter(servletrequest, servletresponse);
return
;
}
if
(requesturi!=
null
&&requesturi.indexOf(
"account_bank_return.html"
)!=-
1
){
filterchain.doFilter(servletrequest, servletresponse);
return
;
}
if
(requesturi!=
null
&&requesturi.indexOf(
"/alipay/activity.html"
)!=-
1
){
filterchain.doFilter(servletrequest, servletresponse);
return
;
}
if
(requesturi!=
null
&&requesturi.indexOf(
"/alipayLogin.html"
)!=-
1
){
filterchain.doFilter(servletrequest, servletresponse);
return
;
}
RequestWrapper rw =
new
RequestWrapper(httpServletRequest);
String param = httpServletRequest.getQueryString();
if
(!
""
.equals(param) && param !=
null
) {
param = URLDecoder.decode(param,
"UTF-8"
);
String originalurl = requesturi + param;
String sqlParam = param;
if
(requesturi.endsWith(
"/askQuestion.html"
) || requesturi.endsWith(
"/member/answer.html"
)){
sqlParam = rw.cleanSQLInject(param);
}
String xssParam = rw.cleanXSS(sqlParam);
requesturi +=
"?"
+xssParam;
if
(!xssParam.equals(param)){
System.out.println(
"requesturi::::::"
+requesturi);
httpServletResponse.sendRedirect(requesturi);
System.out.println(
"no entered."
);
return
;
}
}
filterchain.doFilter(servletrequest, servletresponse);
}
else
{
filterchain.doFilter(
new
RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
}
}
requestMapping:
public
RequestWrapper(){
super
(
null
);
}
public
RequestWrapper(HttpServletRequest httpservletrequest) {
super
(httpservletrequest);
}
public
String[] getParameterValues(String s) {
String str[] =
super
.getParameterValues(s);
if
(str ==
null
) {
return
null
;
}
int
i = str.length;
String as1[] =
new
String[i];
for
(
int
j =
0
; j < i; j++) {
as1[j] = cleanXSS(cleanSQLInject(str[j]));
}
return
as1;
}
public
String getParameter(String s) {
String s1 =
super
.getParameter(s);
if
(s1 ==
null
) {
return
null
;
}
else
{
return
cleanXSS(cleanSQLInject(s1));
}
}
public
String getHeader(String s) {
String s1 =
super
.getHeader(s);
if
(s1 ==
null
) {
return
null
;
}
else
{
return
cleanXSS(cleanSQLInject(s1));
}
}
public
String cleanXSS(String src) {
String temp =src;
System.out.println(
"xss---temp-->"
+src);
src = src.replaceAll(
"<"
,
"<"
).replaceAll(
">"
,
">"
);
src = src.replaceAll(
"\\("
,
"("
).replaceAll(
"\\)"
,
")"
);
src = src.replaceAll(
"'"
,
"'"
);
Pattern pattern=Pattern.compile(
"(eval\\((.*)\\)|script)"
,Pattern.CASE_INSENSITIVE);
Matcher matcher=pattern.matcher(src);
src = matcher.replaceAll(
""
);
pattern=Pattern.compile(
"[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']"
,Pattern.CASE_INSENSITIVE);
matcher=pattern.matcher(src);
src = matcher.replaceAll(
"\"\""
);
src = src.replaceAll(
"script"
,
""
).replaceAll(
";"
,
""
)
.replaceAll(
"\""
,
""
).replaceAll(
"@"
,
""
)
.replaceAll(
"0x0d"
,
""
)
.replaceAll(
"0x0a"
,
""
).replaceAll(
","
,
""
);
if
(!temp.equals(src)){
System.out.println(
"输入信息存在xss攻击!"
);
System.out.println(
"原始输入信息-->"
+temp);
System.out.println(
"处理后信息-->"
+src);
}
return
src;
}
public
String cleanSQLInject(String src) {
String temp =src;
src = src.replaceAll(
"insert"
,
"forbidI"
)
.replaceAll(
"select"
,
"forbidS"
)
.replaceAll(
"update"
,
"forbidU"
)
.replaceAll(
"delete"
,
"forbidD"
)
.replaceAll(
"and"
,
"forbidA"
)
.replaceAll(
"or"
,
"forbidO"
);
if
(!temp.equals(src)){
System.out.println(
"输入信息存在SQL攻击!"
);
System.out.println(
"原始输入信息-->"
+temp);
System.out.println(
"处理后信息-->"
+src);
}
return
src;
}