Base algorithm 10: Filters (filter) do not filter on a specified path

Source: Internet
Author: User

(1) Configure such a filter in Web. xml:

<!--  Filter Xss --><filter><filter-name>xssfilter </filter-name><filter-class>cn.zifangsky.filter.XSSFilter</filter-class><init-param> <param-name>exclude</param-name><param-value>/;/scripts/*;/styles/*;/images/*</ param-value></init-param></filter><filter-mapping><filter-name>xssfilter</ filter-name><url-pattern>*.html</url-pattern><!--  Requests coming directly from the client and requests through forward are passed through the filter  --><dispatcher>request</dispatcher><dispatcher>forward</dispatcher></ Filter-mapping> 

(2) filter Xssfilter.java:

Package cn.zifangsky.filter;import java.io.ioexception;import java.util.enumeration;import  java.util.Map;import java.util.Vector;import java.util.regex.Pattern;import  javax.servlet.filterchain;import javax.servlet.servletexception;import  javax.servlet.http.httpservletrequest;import javax.servlet.http.httpservletrequestwrapper;import  javax.servlet.http.httpservletresponse;import org.apache.commons.lang3.stringescapeutils;import  Org.apache.commons.lang3.stringutils;import org.springframework.web.filter.onceperrequestfilter;public  class XSSFilter extends OncePerRequestFilter {private String exclude  = null;  //A collection of paths that do not need to be filtered private pattern pattern = null;  // Match regular expressions that do not require a filtered path Public void setexclude (string exclude)  {this.exclude = exclude; Pattern = pattern.compile (GETREGSTR (Exclude));} /**&NBSP;*&NBSP;XSS Filtration */protected void dofilterinternal (httpservletrequest request, httpservletresponse  response, filterchain filterchain) throws servletexception, ioexception {string  requesturi = request.getrequesturi (); if (Stringutils.isnotblank (requesturi)) requestURI =  requesturi.replace (Request.getcontextpath (), ""); if (Pattern.matcher (RequestUri). Matches ()) Filterchain.dofilter (request, response); else{escapescriptwrapper escapescriptwrapper = new  escapescriptwrapper (request); Filterchain.dofilter (Escapescriptwrapper, response);}} /** *  will pass in a string that does not need to filter the collection of paths to format a series of regular rules  *  @param  str  path collection that does not need to be filtered  * @ return  Regular Expression Rule  * */private string getregstr (string str) {if ( Stringutils.isnotblank (str)) {string[] excludes = str.split (";");   //split with semicolons Int length = excludes.length;for (int i=0;i<length;i++) {StriNg tmpexclude = excludes[i];//escapes the point, backslash, and asterisk tmpexclude = tmpexclude.replace ("\ \",   "\\\\"). Replace (".",  "\ \."). Replace ("*",  ". *");tmpexclude =  "^"  + tmpExclude +  "$"; excludes[i] =  tmpexclude;} Return stringutils.join (excludes,  "|");} Return str;} /** *  inherits Httpservletrequestwrapper and creates decoration classes to achieve the purpose of modifying httpservletrequest parameters  * */private  class escapescriptwrapper extends httpservletrequestwrapper{private map<string,  string[]> parametermap;  //Map Collection of all parameters Public escapescriptwrapper (HttpServletRequest  request)  {super (Request);p Arametermap = request.getparametermap ();} Rewrite the methods in several Httpservletrequestwrapper/** *  get all parameter names  *  @return   Return all parameter names  * */@ Overridepublic enumeration<string> getparameternames ()  {vector<string> vector  = new vector<string> (Parametermap.keyset ()); Return vector.elements ();} /** *  gets the value of the specified parameter name, if there is a duplicate parameter name, returns the first value  *  receives the generic variable  , such as the text type  *  *  @param  name  Specify parameter names  *  @return   Specify values for parameter names  * */@Overridepublic  String  GetParameter (string name)  {string[] results = parametermap.get (name); if (results  == null | |  results.length <= 0) RETURN&NBSP;NULL;ELSE{RETURN&NBSP;ESCAPEXSS (Results[0]);}} /** *  gets an array of all the values for the specified parameter name, such as: All data for the checkbox  *  receive array variable  , such as CHECKOBX type  * */@ Overridepublic string[] getparametervalues (String name)  {string[] results =  parametermap.get (name); if (results == null | |  results.length <= 0) Return null;else{int length = results.length;for ( int i=0;i<length;i++) {RESULTS[I]&NBSP;=&NBSP;ESCAPEXSS (results[i]);} Return results;}} /** *  The JS script in the filter string &NBsp;*  decoding: Stringescapeutils.unescapexml (ESCAPEDSTR) &NBSP;*&NBSP;*/PRIVATE&NBSP;STRING&NBSP;ESCAPEXSS (String &NBSP;STR) {//return stringescapeutils.escapexml (Stringescapeutils.escapeecmascript (str));return  Stringescapeutils.escapexml (str);}}}

> Of course, what I'm talking about here is how to convert a collection of paths that are configured in Web. XML to a regular-match pattern, if the code is drawn out:

import java.util.regex.pattern;import org.apache.commons.lang3.stringutils;public class  Demo3 {private static string getregstr (STRING&NBSP;STR) {if (Stringutils.isnotblank (str)) { String[] excludes = str.split (";");   //split with semicolons Int length = excludes.length;for (int i=0;i<length;i++) {String  tmpexclude = excludes[i];//escapes the point, backslash, and asterisk tmpexclude = tmpexclude.replace ("\ \",  " \\\\ "). Replace (". ", " \ \. "). Replace ("*",  ". *");tmpexclude =  "^"  + tmpExclude +  "$"; excludes[i] =  tmpexclude;} Return stringutils.join (excludes,  "|");} Return str;} Public static void main (String[] args)  {String t1 =  "/;/scripts/*;/ styles/*;/images/* "; string t2 =  "*/js/*;/scripts/*;"; string t3 =  "\\;\\scripts\\*"; string t4 =  "*"; string t5 =  "/pages/*/js/*";string t6 =  "/page.html/js/*"; string test =  "/pages/scripts/xx.js"; Pattern pattern = pattern.compile (DEMO3.GETREGSTR (t1)); if (Pattern.matcher (test). Matches ()) { SYSTEM.OUT.PRINTLN ("The path does not need to be filtered");//filterchain.dofilter (request, response);} Else{system.out.println ("Requires filter processing");//escapescriptwrapper escapescriptwrapper = new  Escapescriptwrapper (request);//filterchain.dofilter (Escapescriptwrapper, response);}}

The code is simple, so there's not much to explain here.

This article is from "Zifangsky's personal blog" blog, make sure to keep this source http://983836259.blog.51cto.com/7311475/1862603

Base algorithm 10: Filters (filter) do not filter on a specified path

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.