在java使用xssProject

在项目中引入两个jar包:

xssProtect-0.1.jar、antlr-runtime-4.7.jar(开源语法分析器)

步骤：
1.写一个Xss的Http的包装器。
2.写一个Filter。
3.在Web.xml中配置该Filter到/*

Xss的Http的包装器

package com.commons.utils;import java.io.StringReader;import java.io.StringWriter;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import com.blogspot.radialmind.html.HTMLParser;import com.blogspot.radialmind.xss.XSSFilter;/** * @ClassName:XssHttpWrapper * @Discrible:Xss的Http的包装器 * @Author: * @Date:2017年4月16日 * */public class XssHttpWrapper extends HttpServletRequestWrapper {    private HttpServletRequest orgRequest;    public XssHttpWrapper(HttpServletRequest request) {        super(request);        orgRequest = request;    }    /**     * 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/>     * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖     */    @Override    public String getParameter(String name) {        String value = super.getParameter(xssEncode(name));        if (value != null) {            value = xssEncode(value);        }        return value;    }    /**     * 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>     * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/> getHeaderNames 也可能需要覆盖     */    @Override    public String getHeader(String name) {        String value = super.getHeader(xssEncode(name));        if (value != null) {            value = xssEncode(value);        }        return value;    }    /**     * 将容易引起xss漏洞的半角字符直接替换成全角字符     *     * @param s     * @return     */    private static String xssEncode(String s) {        if (s == null || s.isEmpty()) {            return s;        }        StringReader reader = new StringReader(s);        StringWriter writer = new StringWriter();        try {            HTMLParser.process(reader, writer, new XSSFilter(), true);            return writer.toString();        } catch (NullPointerException e) {            return s;        } catch (Exception ex) {            ex.printStackTrace(System.out);        }        return null;    }    /**     * 获取最原始的request     *     * @return     */    public HttpServletRequest getOrgRequest() {        return orgRequest;    }    /**     * 获取最原始的request的静态方法     *     * @return     */    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {        if (req instanceof XssHttpWrapper) {            return ((XssHttpWrapper) req).getOrgRequest();        }        return req;    }}

XssFilter

package com.commons.filter;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import com.commons.utils.XssHttpWrapper;/** * @ClassName:XssFliter * @Discrible: * @Author: * @Date:2017年4月16日 * */public class XssFliter implements Filter{@Overridepublic void init(FilterConfig filterConfig) throws ServletException { System.out.println("Xss filter inited!");}@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)throws IOException, ServletException {XssHttpWrapper xssRequest = new XssHttpWrapper((HttpServletRequest) request);        chain.doFilter(xssRequest, response);}@Overridepublic void destroy() { System.out.println("Xss filter destroyed!");}}

Web.xml中配置

<!-- Xss过滤器配置 --><filter><filter-name>xssFilter</filter-name><filter-class>com.commons.filter.XssFliter</filter-class></filter><filter-mapping><filter-name>xssFilter</filter-name><servlet-name>/*</servlet-name></filter-mapping>