1: Using Action filtering
PackageCom.tsou.comm.servlet;Importjava.util.Enumeration;ImportJava.util.Map;ImportJava.util.Vector;Importjavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletRequestWrapper;/*** * <p class= "detail" > * Function: Package request handling Special characters * </p> * @ClassName: Tsrequest *@versionV1.0 * @date September 25, 2014 *@authorWangsheng*/ Public classTsrequestextendsHttpservletrequestwrapper {PrivateMAP params; PublicTsrequest (httpservletrequest request, Map newparams) {Super(Request); This. params =Newparams; } PublicMap Getparametermap () {returnparams; } PublicEnumeration Getparameternames () {Vector L=NewVector (Params.keyset ()); returnl.elements (); } Publicstring[] Getparametervalues (String name) {Object v=params.get (name); if(v = =NULL ) { return NULL ; } Else if(Vinstanceofstring[]) {string[] Value=(string[]) v; for(inti = 0; i < value.length; i++) {Value[i]= Value[i].replaceall ("<", "<" ); Value[i]= Value[i].replaceall (">", ">" ); } return(string[]) value; } Else if(VinstanceofString) {String value=(String) v; Value= Value.replaceall ("<", "<" ); Value= Value.replaceall (">", ">" ); return Newstring[] {(String) value}; } Else { return Newstring[] {v.tostring ()}; } } Publicstring GetParameter (string name) {Object v=params.get (name); if(v = =NULL ) { return NULL ; } Else if(Vinstanceofstring[]) {string[] Strarr=(string[]) v; if(Strarr.length > 0) {String value= Strarr[0]; Value= Value.replaceall ("<", "<" ); Value= Value.replaceall ("<", ">" ); returnvalue; } Else { return NULL ; } } Else if(VinstanceofString) {String value=(String) v; Value= Value.replaceall ("<", "<" ); Value= Value.replaceall (">", ">" ); return(String) value; } Else { returnv.tostring (); } }}
2: Filter with interceptors
PackageCom.kadang.wp.mobile.wap.core.common;Importjava.io.IOException;Importjava.util.Enumeration;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletResponse;Importorg.apache.commons.lang3.StringUtils;/*** XSS Check filter * *@authorJianghao * @date 2014-08-22 **/ Public classXsscheckfilterImplementsFilter {//JS character keywords that need to be intercepted PrivateString Errorpath; //illegal XSS characters Private StaticString[] safe_less = {"Set-cookie", "<", "%3c", "%3e", ">", "\ \" }; @Override Public voidInit (Filterconfig filterconfig)throwsservletexception { This. Seterrorpath (Filterconfig.getinitparameter ("Errorpath")); } @Override Public voidDoFilter (ServletRequest req, Servletresponse resp, filterchain chain)throwsIOException, servletexception {BooleanIssafe =true; Enumeration<?> params =Req.getparameternames (); HttpServletRequest Request=(httpservletrequest) req; HttpServletResponse Response=(HttpServletResponse) resp; String Requesturl=Request.getrequesturi (); if(Issafestr (Requesturl)) { while(Params.hasmoreelements ()) {String Paramkey=(String) params.nextelement (); String paramvalue=Request.getparameter (Paramkey); if(Stringutils.isnotblank (paramvalue)) {if(!issafestr (paramvalue)) {Issafe=false; Break; } } } } Else{Issafe=false; } if(Issafe) {chain.dofilter (req, resp); } Else{Request.setattribute ("Error", "URL or params is full of illegal XSS character"); Request.getrequestdispatcher ( This. Geterrorpath ()). Forward (request, response); return; } } /*** Determine if the URL has illegal characters **/ Private Booleanissafestr (String str) {if(Stringutils.isnotblank (str)) { for(String s:safe_less) {if(Str.tolowercase (). Contains (s)) {return false; } } } return true; } @Override Public voiddestroy () {} PublicString Geterrorpath () {returnErrorpath; } Public voidSeterrorpath (String errorpath) { This. Errorpath =Errorpath; }}
3: Using interceptors拦截URL
<Filter> <Filter-name>Characterfilter</Filter-name> <Filter-class>Com.tsou.comm.filter.CharacterFilter</Filter-class> </Filter> <filter-mapping> <Filter-name>Characterfilter</Filter-name> <Url-pattern>/*</Url-pattern> </filter-mapping>
Java prevents script injection, implemented by interceptors