(1) Configure such a filter in Web. xml:
<!-- Filter Xss --><filter><filter-name>xssfilter </filter-name><filter-class>cn.zifangsky.filter.XSSFilter</filter-class><init-param> <param-name>exclude</param-name><param-value>/;/scripts/*;/styles/*;/images/*</ param-value></init-param></filter><filter-mapping><filter-name>xssfilter</ filter-name><url-pattern>*.html</url-pattern><!-- Requests coming directly from the client and requests through forward are passed through the filter --><dispatcher>request</dispatcher><dispatcher>forward</dispatcher></ Filter-mapping>
(2) filter Xssfilter.java:
Package cn.zifangsky.filter;import java.io.ioexception;import java.util.enumeration;import java.util.Map;import java.util.Vector;import java.util.regex.Pattern;import javax.servlet.filterchain;import javax.servlet.servletexception;import javax.servlet.http.httpservletrequest;import javax.servlet.http.httpservletrequestwrapper;import javax.servlet.http.httpservletresponse;import org.apache.commons.lang3.stringescapeutils;import Org.apache.commons.lang3.stringutils;import org.springframework.web.filter.onceperrequestfilter;public class XSSFilter extends OncePerRequestFilter {private String exclude = null; //A collection of paths that do not need to be filtered private pattern pattern = null; // Match regular expressions that do not require a filtered path Public void setexclude (string exclude) {this.exclude = exclude; Pattern = pattern.compile (GETREGSTR (Exclude));} /**&NBSP;*&NBSP;XSS Filtration */protected void dofilterinternal (httpservletrequest request, httpservletresponse response, filterchain filterchain) throws servletexception, ioexception {string requesturi = request.getrequesturi (); if (Stringutils.isnotblank (requesturi)) requestURI = requesturi.replace (Request.getcontextpath (), ""); if (Pattern.matcher (RequestUri). Matches ()) Filterchain.dofilter (request, response); else{escapescriptwrapper escapescriptwrapper = new escapescriptwrapper (request); Filterchain.dofilter (Escapescriptwrapper, response);}} /** * will pass in a string that does not need to filter the collection of paths to format a series of regular rules * @param str path collection that does not need to be filtered * @ return Regular Expression Rule * */private string getregstr (string str) {if ( Stringutils.isnotblank (str)) {string[] excludes = str.split (";"); //split with semicolons Int length = excludes.length;for (int i=0;i<length;i++) {StriNg tmpexclude = excludes[i];//escapes the point, backslash, and asterisk tmpexclude = tmpexclude.replace ("\ \", "\\\\"). Replace (".", "\ \."). Replace ("*", ". *");tmpexclude = "^" + tmpExclude + "$"; excludes[i] = tmpexclude;} Return stringutils.join (excludes, "|");} Return str;} /** * inherits Httpservletrequestwrapper and creates decoration classes to achieve the purpose of modifying httpservletrequest parameters * */private class escapescriptwrapper extends httpservletrequestwrapper{private map<string, string[]> parametermap; //Map Collection of all parameters Public escapescriptwrapper (HttpServletRequest request) {super (Request);p Arametermap = request.getparametermap ();} Rewrite the methods in several Httpservletrequestwrapper/** * get all parameter names * @return Return all parameter names * */@ Overridepublic enumeration<string> getparameternames () {vector<string> vector = new vector<string> (Parametermap.keyset ()); Return vector.elements ();} /** * gets the value of the specified parameter name, if there is a duplicate parameter name, returns the first value * receives the generic variable , such as the text type * * @param name Specify parameter names * @return Specify values for parameter names * */@Overridepublic String GetParameter (string name) {string[] results = parametermap.get (name); if (results == null | | results.length <= 0) RETURN&NBSP;NULL;ELSE{RETURN&NBSP;ESCAPEXSS (Results[0]);}} /** * gets an array of all the values for the specified parameter name, such as: All data for the checkbox * receive array variable , such as CHECKOBX type * */@ Overridepublic string[] getparametervalues (String name) {string[] results = parametermap.get (name); if (results == null | | results.length <= 0) Return null;else{int length = results.length;for ( int i=0;i<length;i++) {RESULTS[I]&NBSP;=&NBSP;ESCAPEXSS (results[i]);} Return results;}} /** * The JS script in the filter string &NBsp;* decoding: Stringescapeutils.unescapexml (ESCAPEDSTR) &NBSP;*&NBSP;*/PRIVATE&NBSP;STRING&NBSP;ESCAPEXSS (String &NBSP;STR) {//return stringescapeutils.escapexml (Stringescapeutils.escapeecmascript (str));return Stringescapeutils.escapexml (str);}}}
> Of course, what I'm talking about here is how to convert a collection of paths that are configured in Web. XML to a regular-match pattern, if the code is drawn out:
import java.util.regex.pattern;import org.apache.commons.lang3.stringutils;public class Demo3 {private static string getregstr (STRING&NBSP;STR) {if (Stringutils.isnotblank (str)) { String[] excludes = str.split (";"); //split with semicolons Int length = excludes.length;for (int i=0;i<length;i++) {String tmpexclude = excludes[i];//escapes the point, backslash, and asterisk tmpexclude = tmpexclude.replace ("\ \", " \\\\ "). Replace (". ", " \ \. "). Replace ("*", ". *");tmpexclude = "^" + tmpExclude + "$"; excludes[i] = tmpexclude;} Return stringutils.join (excludes, "|");} Return str;} Public static void main (String[] args) {String t1 = "/;/scripts/*;/ styles/*;/images/* "; string t2 = "*/js/*;/scripts/*;"; string t3 = "\\;\\scripts\\*"; string t4 = "*"; string t5 = "/pages/*/js/*";string t6 = "/page.html/js/*"; string test = "/pages/scripts/xx.js"; Pattern pattern = pattern.compile (DEMO3.GETREGSTR (t1)); if (Pattern.matcher (test). Matches ()) { SYSTEM.OUT.PRINTLN ("The path does not need to be filtered");//filterchain.dofilter (request, response);} Else{system.out.println ("Requires filter processing");//escapescriptwrapper escapescriptwrapper = new Escapescriptwrapper (request);//filterchain.dofilter (Escapescriptwrapper, response);}}
The code is simple, so there's not much to explain here.
This article is from "Zifangsky's personal blog" blog, make sure to keep this source http://983836259.blog.51cto.com/7311475/1862603
Base algorithm 10: Filters (filter) do not filter on a specified path