Java prevents script injection, implemented by interceptors

1: Using Action filtering

 PackageCom.tsou.comm.servlet;Importjava.util.Enumeration;ImportJava.util.Map;ImportJava.util.Vector;Importjavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletRequestWrapper;/*** * <p class= "detail" > * Function: Package request handling Special characters * </p> * @ClassName: Tsrequest *@versionV1.0 * @date September 25, 2014 *@authorWangsheng*/ Public classTsrequestextendsHttpservletrequestwrapper {PrivateMAP params;  PublicTsrequest (httpservletrequest request, Map newparams) {Super(Request);  This. params =Newparams; }             PublicMap Getparametermap () {returnparams; }             PublicEnumeration Getparameternames () {Vector L=NewVector (Params.keyset ()); returnl.elements (); }             Publicstring[] Getparametervalues (String name) {Object v=params.get (name); if(v = =NULL ) {                              return NULL ; } Else if(Vinstanceofstring[]) {string[] Value=(string[]) v;  for(inti = 0; i < value.length; i++) {Value[i]= Value[i].replaceall ("<", "&lt;" ); Value[i]= Value[i].replaceall (">", "&gt;" ); }                              return(string[]) value; } Else if(VinstanceofString) {String value=(String) v; Value= Value.replaceall ("<", "&lt;" ); Value= Value.replaceall (">", "&gt;" ); return Newstring[] {(String) value}; } Else {                              return Newstring[] {v.tostring ()}; }          }             Publicstring GetParameter (string name) {Object v=params.get (name); if(v = =NULL ) {                              return NULL ; } Else if(Vinstanceofstring[]) {string[] Strarr=(string[]) v; if(Strarr.length > 0) {String value= Strarr[0]; Value= Value.replaceall ("<", "&lt;" ); Value= Value.replaceall ("<", "&gt;" ); returnvalue; } Else {                                       return NULL ; }                   } Else if(VinstanceofString) {String value=(String) v; Value= Value.replaceall ("<", "&lt;" ); Value= Value.replaceall (">", "&gt;" ); return(String) value; } Else {                              returnv.tostring (); }          }}

2: Filter with interceptors

 PackageCom.kadang.wp.mobile.wap.core.common;Importjava.io.IOException;Importjava.util.Enumeration;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest;ImportJavax.servlet.http.HttpServletResponse;Importorg.apache.commons.lang3.StringUtils;/*** XSS Check filter * *@authorJianghao * @date 2014-08-22 **/ Public classXsscheckfilterImplementsFilter {//JS character keywords that need to be intercepted    PrivateString Errorpath; //illegal XSS characters    Private StaticString[] safe_less = {"Set-cookie", "<", "%3c", "%3e", ">", "\ \" }; @Override Public voidInit (Filterconfig filterconfig)throwsservletexception { This. Seterrorpath (Filterconfig.getinitparameter ("Errorpath")); } @Override Public voidDoFilter (ServletRequest req, Servletresponse resp, filterchain chain)throwsIOException, servletexception {BooleanIssafe =true; Enumeration<?> params =Req.getparameternames (); HttpServletRequest Request=(httpservletrequest) req; HttpServletResponse Response=(HttpServletResponse) resp; String Requesturl=Request.getrequesturi (); if(Issafestr (Requesturl)) { while(Params.hasmoreelements ()) {String Paramkey=(String) params.nextelement (); String paramvalue=Request.getparameter (Paramkey); if(Stringutils.isnotblank (paramvalue)) {if(!issafestr (paramvalue)) {Issafe=false;  Break; }                }            }        } Else{Issafe=false; }        if(Issafe) {chain.dofilter (req, resp); } Else{Request.setattribute ("Error", "URL or params is full of illegal XSS character"); Request.getrequestdispatcher ( This. Geterrorpath ()). Forward (request, response); return; }    }    /*** Determine if the URL has illegal characters **/    Private Booleanissafestr (String str) {if(Stringutils.isnotblank (str)) { for(String s:safe_less) {if(Str.tolowercase (). Contains (s)) {return false; }            }        }        return true; } @Override Public voiddestroy () {} PublicString Geterrorpath () {returnErrorpath; }     Public voidSeterrorpath (String errorpath) { This. Errorpath =Errorpath; }}

3: Using interceptors拦截URL

<Filter>                    <Filter-name>Characterfilter</Filter-name>                     <Filter-class>Com.tsou.comm.filter.CharacterFilter</Filter-class>           </Filter>           <filter-mapping>                    <Filter-name>Characterfilter</Filter-name>                    <Url-pattern>/*</Url-pattern>           </filter-mapping>

Java prevents script injection, implemented by interceptors