XSS攻击过滤器

import java.io.InputStream;import java.util.Iterator;import java.util.Map;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import org.apache.commons.lang3.StringEscapeUtils;import org.owasp.validator.html.AntiSamy;import org.owasp.validator.html.CleanResults;import org.owasp.validator.html.Policy;import org.owasp.validator.html.PolicyException;import org.owasp.validator.html.ScanException;public class XssRequestWrapper extends HttpServletRequestWrapper {public XssRequestWrapper(HttpServletRequest request) {super(request);}private static Policy policy = null;static {// String path =// URLUtility.getClassPath(XssRequestWrapper.class)+File.separator+"antisamy-anythinggoes-1.4.4.xml";//String path// =XssRequestWrapper.class.getClassLoader().getResource("antisamy-config.xml").getFile();// System.out.println("policy_filepath:"+path);InputStream is = XssRequestWrapper.class.getClassLoader().getResourceAsStream("antisamy-config.xml");// if(path.startsWith("file")){// path = path.substring(6);// }try {policy = Policy.getInstance(is);} catch (PolicyException e) {e.printStackTrace();}}@SuppressWarnings({ "rawtypes", "unchecked" })public Map<String,String[]> getParameterMap(){Map<String,String[]> request_map = super.getParameterMap();Iterator iterator = request_map.entrySet().iterator();while(iterator.hasNext()){Map.Entry me = (Map.Entry)iterator.next();//System.out.println(me.getKey()+":");String[] values = (String[])me.getValue();for(int i = 0 ; i < values.length ; i++){//System.out.println(values[i]);values[i] = xssClean(values[i]);}}return request_map;}@SuppressWarnings({ "rawtypes", "unchecked" })public String getParameter(String name) {String v = super.getParameter(name);if (v == null)return null;return xssClean(v);}@SuppressWarnings({ "rawtypes", "unchecked" })public String[] getParameterValues(String name) {String[] v = super.getParameterValues(name);if (v == null || v.length == 0)return v;for (int i = 0; i < v.length; i++) {v[i] = xssClean(v[i]);}return v;}private String xssClean(String value) {AntiSamy antiSamy = new AntiSamy();try {// CleanResults cr = antiSamy.scan(dirtyInput, policyFilePath);final CleanResults cr = antiSamy.scan(value, policy);// 安全的HTML输出// return cr.getCleanHTML();//String str = StringEscapeUtils.escapeHtml4(cr.getCleanHTML());//str.replaceAll((antiSamy.scan(" ", policy)).getCleanHTML(), "");String str = cr.getCleanHTML();return str;} catch (ScanException e) {e.printStackTrace();} catch (PolicyException e) {e.printStackTrace();}return value;}}

import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;public class XssFilter implements Filter {      @SuppressWarnings("unused")  private FilterConfig filterConfig;  public void destroy() {    this.filterConfig = null;  }  public void doFilter(ServletRequest request, ServletResponse response,      FilterChain chain) throws IOException, ServletException {    chain.doFilter(new XssRequestWrapper((HttpServletRequest) request), response);  }  public void init(FilterConfig filterConfig) throws ServletException {    this.filterConfig = filterConfig;  }            }