In 1.web.xml
<filter>
<filter-name>xssFilter</filter-name>
<filter-class> com.xxx.web.filter.xssfilter</filter-class>
</filter>
<filter-mapping>
< filter-name>xssfilter</filter-name>
<url-pattern>/*</url-pattern>
</ Filter-mapping>
2.xssfilter.java
Package com.xxx.web.filter;
Import java.io.IOException;
Import Javax.servlet.Filter;
Import Javax.servlet.FilterChain;
Import Javax.servlet.FilterConfig;
Import javax.servlet.ServletException;
Import Javax.servlet.ServletRequest;
Import Javax.servlet.ServletResponse;
Import Javax.servlet.http.HttpServletRequest;
Import Org.apache.commons.lang.StringEscapeUtils;
public class Xssfilter implements Filter {
filterconfig filterconfig;
public void init (Filterconfig config) throws servletexception {
this.filterconfig = filterconfig;
}
public void Dofilter (ServletRequest request, servletresponse response,
Filterchain chain) throws IOException, servletexception {
Xsshttpservletrequestwrapper xssrequest = new Xsshttpservletrequestwrapper ( HttpServletRequest) request);
Chain.dofilter (xssrequest, response);
}
public void Destroy () {
this.filterconfig = null;
}
}
3. Xsshttpservletrequestwrapper.java
In some cases, we cannot filter the user data strictly, so we also need to convert the tags.
Less-than character (<)
<
Greater-than character (>)
>
Ampersand character (&)
&
Double-quote character (")
"
Space character ()
Any ASCII code character whose the code is Greater-than or equal to 0x80
&#<number>, where <number> is the ASCII character value. For example, user input: <script>window.location.href= "http://www.baidu.com"; </script>, the final store after the save is: <script >window.location.href="http://www.baidu.com"</script> The browser converts these characters into a text display, rather than an executable code, as it unfolds.
Package com.xxx.web.filter;
Import Javax.servlet.http.HttpServletRequest;
Import Javax.servlet.http.HttpServletRequestWrapper; public class Xsshttpservletrequestwrapper extends Httpservletrequestwrapper {public Xsshttpservletrequestwrapper (
HttpServletRequest request) {super (request);} @Override public string[] getparametervalues (String parameter) {string[] values = super.getparametervalues (parameter)
;
if (values = = null) {return null;
int count = Values.length;
string[] encodedvalues = new String[count];
for (int i=0;i<count;i++) {//encodedvalues[i] = stringescapeutils.escapehtml (values[i));
Encodedvalues[i] = this.escapehtml (Values[i]);
return encodedvalues;
@Override public string GetParameter (string parameter) {String value = super.getparameter (parameter);
if (value = = null) {return null;
}//return stringescapeutils.escapehtml (value);
return this.escapehtml (value); }/** * Rewrite Stringescapeutils.escapeHtml () method to avoid filtering Chinese * * @param s * @return/Private String escapehtml (string s) {if (s = = NULL | | s.isempty ()) {
Return "";
StringBuilder sb = new StringBuilder ("");
for (int i = 0; i < s.length (); i++) {char c = s.charat (i);
Switch (c) {case ' > ': Sb.append (' > ');
Break
Case ' < ': Sb.append (' < ');
Break
Case ' ': sb.append (' "');
Break
Case ' & ': Sb.append (' & ');
Break
Case 10:case 13:break;
Default:sb.append (c);
Break
} return sb.tostring (); }
}
4. For the above rewrite stringescapeutils.escapehtml () method, mainly, from the front-end to the background data, if it is in Chinese, use stringescapeutils.escapehtml (value) will be the Chinese also transcoding , this is not what we want to see. , so you need to override the method.
5. If the parameters we pass on the front end are a JSON string, then the back end needs to be treated with a special double quote, such as:
Front:
var arrchoosed = [{"id":p arseint (' Ten '), ' name ': ' Jiansan '},{...}];
Ajax incoming back-end parameters are data:{' params ': json.stringify (arrchoosed),.....}
Back end:
String parameter = request.getparameter ("params"). ReplaceAll (""", "\");
Objectmapper mapper = new Objectmapper ();
list<map<string,object>> paramlist = Mapper.readvalue (Parameter,list.class);
6. For the parameters obtained in spring MVC, the Getparametervalues () method in 3 is @requestparam.