Servlet Filter 技术防止XSS攻击的过滤器例子

import java.io.IOException;import java.util.regex.Pattern;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class ParkingXssFilter implements Filter {    FilterConfig filterConfig = null;    public  final String MOBILE_REG = "/pms/mobile/\\w{1,}.action";    public  final String ALIPAY_REG = "/pms/fuwuchuang/\\w{1,}.action";    public  final String WEIXIN_REG = "/pms/weixin/\\w{1,}.action";    public  final String REMOTE_REG = "/pms/parkRemoteService/\\w{1,}.action";    private final Pattern PATTERN_MOBILE = Pattern.compile(MOBILE_REG);    private final Pattern PATTERN_ALIPAY = Pattern.compile(ALIPAY_REG);    private final Pattern PATTERN_WEIXIN = Pattern.compile(WEIXIN_REG);    private final Pattern PATTERN_REMOTE = Pattern.compile(REMOTE_REG);    /**     * Default constructor.      */    public ParkingXssFilter() {    }    /**     * @see Filter#destroy()     */    public void destroy() {         this.filterConfig = null;    }    /**     * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)     */    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {        String requestUrl = ((HttpServletRequest) request).getRequestURI();        //某些特殊接口跳转不需要被跨脚本工具处理        if(PATTERN_MOBILE.matcher(requestUrl).matches()                || PATTERN_ALIPAY.matcher(requestUrl).matches()                || PATTERN_WEIXIN.matcher(requestUrl).matches()                || PATTERN_REMOTE.matcher(requestUrl).matches()){            chain.doFilter(request, response);        }else{            chain.doFilter(new ParkingXssHttpServletRequestWrapper((HttpServletRequest) request), response);        }    }    /**     * @see Filter#init(FilterConfig)     */    public void init(FilterConfig fConfig) throws ServletException {          this.filterConfig = fConfig;    }}///////////////////////////////////////////////////////////import java.util.regex.Pattern;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;public class ParkingXssHttpServletRequestWrapper extends        HttpServletRequestWrapper{    public ParkingXssHttpServletRequestWrapper(HttpServletRequest request) {        super(request);    }    public String[] getParameterValues(String parameter) {        String[] values = super.getParameterValues(parameter);        if (values == null) {            return null;        }        int count = values.length;        String[] encodedValues = new String[count];        for (int i = 0; i < count; i++) {            encodedValues[i] = cleanXSS(values[i]);        }        return encodedValues;    }    public String getParameter(String parameter) {        String value = super.getParameter(parameter);        if (value == null) {            return null;        }        return cleanXSS(value);    }    public String getHeader(String name) {        String value = super.getHeader(name);        if (value == null){            return null;        }        return cleanXSS(value);    }    private String cleanXSS(String value) {        // You'll need to remove the spaces from the html entities below        /*try {            value = URLDecoder.decode(value, "UTF-8");        } catch (UnsupportedEncodingException e) {            PmsLogRecord.logException(e);        }*/        value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");        value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");        value = value.replaceAll("'", "&#39;");        value = value.replaceAll("eval\\((.*)\\)", "");        // Avoid null characters        value = value.replaceAll("", "");        // Avoid anything between script tags        Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);        value = scriptPattern.matcher(value).replaceAll("");        // Avoid anything in a src='...' type of e­xpression        scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);        value = scriptPattern.matcher(value).replaceAll("");        scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);        value = scriptPattern.matcher(value).replaceAll("");        // Remove any lonesome </script> tag        scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);        value = scriptPattern.matcher(value).replaceAll("");        // Remove any lonesome <script ...> tag        scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);        value = scriptPattern.matcher(value).replaceAll("");        // Avoid eval(...) e­xpressions        scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);        value = scriptPattern.matcher(value).replaceAll("");        // Avoid e­xpression(...) e­xpressions        scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);        value = scriptPattern.matcher(value).replaceAll("");        // Avoid javascript:... e­xpressions        scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);        value = scriptPattern.matcher(value).replaceAll("");        // Avoid onload= e­xpressions        scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);        value = scriptPattern.matcher(value).replaceAll("");        return value;//StringEscapeUtils.escapeHtml4(value);    }}