Examples are as follows:
Xssfilter.java
public void Dofilter (ServletRequest servletrequest, Servletresponse servletresponse, Filterchain FilterChain) throw
S IOException, servletexception {//flag = True for URL validation only; flag = False to validate all fields;
Boolean flag = true;
if (flag) {//XSS httpservletrequest httpservletrequest = (httpservletrequest) servletrequest for URL only;
HttpServletResponse HttpServletResponse = (httpservletresponse) servletresponse;
String RequestUri = Httpservletrequest.getrequesturl (). toString ();
RequestUri = Urldecoder.decode (RequestUri, "UTF-8"); if (Requesturi!=null&&requesturi.indexof ("alipay_hotel_book_return.html")!=-1) {Filterchain.doFilter (
ServletRequest, Servletresponse);
Return } if (Requesturi!=null&&requesturi.indexof ("account_bank_return.html")!=-1) {Filterchain.dofilter (
ServletRequest, Servletresponse);
Return } if (Requesturi!=null&&requesturi.indexof ("/alipay/activity.html")!=-1) {Filterchain.dofilter ( ServletrequeSt, Servletresponse);
return; } if (Requesturi!=null&&requesturi.indexof ("/alipaylogin.html")!=-1) {Filterchain.dofilter (servletrequest
, servletresponse);
return;
Requestwrapper rw = new Requestwrapper (httpservletrequest);
String param = httpservletrequest.getquerystring (); if (! "".
Equals (param) && param!= null) {param = Urldecoder.decode (param, "UTF-8");
String Originalurl = RequestUri + param;
String sqlparam = param; Add SQL injection judgment if (Requesturi.endswith ("/askquestion.html") | | | requesturi.endswith ("/member/answer.html")) {Sqlparam
= Rw.cleansqlinject (param);
String Xssparam = RW.CLEANXSS (Sqlparam); RequestUri + = "?"
+xssparam;
if (!xssparam.equals (param)) {System.out.println ("RequestUri::::," +requesturi);
Httpservletresponse.sendredirect (RequestUri);
System.out.println ("no entered."); Filterchain.dofilter (New Requestwrapper (HttpServletRequest) servletrequest), servletresponse);
return;
} filterchain.dofilter (ServletRequest, servletresponse); }else{//checksum of everything in the request, including form.
This feature check is relatively easy to mask the form of normal input, use this feature please note.
Filterchain.dofilter (New Requestwrapper (HttpServletRequest) servletrequest), servletresponse);
} requestmapping:public Requestwrapper () {super (NULL);
Public Requestwrapper (HttpServletRequest httpservletrequest) {super (httpservletrequest);
Public string[] Getparametervalues (string s) {string str[] = Super.getparametervalues (s);
if (str = null) {return null;
int i = str.length;
String as1[] = new String[i];
for (int j = 0; J < i; J +) {As1[j] = CLEANXSS (Cleansqlinject (STR[J)));
return AS1;
public string GetParameter (string s) {string S1 = Super.getparameter (s);
if (S1 = = null) {return null;
else {return CLEANXSS (Cleansqlinject (S1));
} public string GetHeader (string s) {string S1 = Super.getheader (s);
if (S1 = = null) { return null;
else {return CLEANXSS (Cleansqlinject (S1));
} public string Cleanxss (string src) {string temp =src;
System.out.println ("XSS---temp-->" +src);
src = Src.replaceall ("<", "<"). ReplaceAll (">", ">");
if (Src.indexof ("address") ==-1)//{src = src.replaceall ("\", "("). ReplaceAll ("\)", ")");
src = src.replaceall ("'", "'");
Pattern Pattern=pattern.compile ("(eval\\ (. *) \) |script)", pattern.case_insensitive);
Matcher matcher=pattern.matcher (SRC);
src = Matcher.replaceall ("");
Pattern=pattern.compile ("[\\\" \][\\s]*javascript: (. *) [\\\ "\]", pattern.case_insensitive);
Matcher=pattern.matcher (SRC);
src = matcher.replaceall ("\" \ ""); Add script src = src.replaceall ("Script", ""). ReplaceAll (";", ""). ReplaceAll ("\", ""). ReplaceAll ("@", ""). Repla
Ceall ("0x0d", ""). ReplaceAll ("0x0a", ""). ReplaceAll (",", ""); if (!temp.equals (src)) {System.out.println ("Input information exists XSS attack!") ");
SYSTEM.OUT.PRINTLN ("Raw input information-->" +temp);
SYSTEM.OUT.PRINTLN ("--> Information after processing" +SRC);
} return src;
//need to increase the wildcard, filter case combination public string cleansqlinject (string src) {string temp =src;
src = Src.replaceall ("Insert", "Forbidi"). ReplaceAll ("Select", "forbids"). ReplaceAll ("Update", "Forbidu")
. ReplaceAll ("delete", "Forbidd"). ReplaceAll ("and", "Forbida"). ReplaceAll ("or", "Forbido"); if (!temp.equals (src)) {System.out.println ("Input information exists SQL Attack!")
");
SYSTEM.OUT.PRINTLN ("Raw input information-->" +temp);
SYSTEM.OUT.PRINTLN ("--> Information after processing" +SRC);
} return src; }
XML configuration:
<filter>
<filter-name>XssFilter</filter-name>
<filter-class> cn.com.jsoft.xss.xssfilter</filter-class>
<init-param>
<param-name>encoding</ param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/* </url-pattern>
</filter-mapping>
The above code only the special SQL characters, special script script character processing, the specific page processing also need background processing!!
About this Java filter filter anti-SQL injection implementation code is a small series to share all the content, hope to give you a reference, but also hope that we support the cloud habitat community.