nbsp; today, the system uses the IBM Security Vulnerability Scanning Tool to scan a bunch of vulnerabilities, the following filter is primarily to address the prevention of SQL injection and XSS attacks
One is the filter responsible for wrapping the requested request.
One is the request wrapper, which is responsible for filtering out illegal characters.
After this filter is configured, the world is finally much cleaner.
The code is as follows:
Importjava.io.IOException;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest;/*** <code>{@linkcharlimitfilter}</code> * * intercept prevents SQL injection * *@authorAdministrator*/ Public classXssfilterImplementsFilter {/*(non-javadoc) * @see javax.servlet.filter#dofilter (javax.servlet.ServletRequest, Javax.servlet.ServletResponse , Javax.servlet.FilterChain)*/ Public voidDoFilter (ServletRequest request, servletresponse response, Filterchain Filterchain)throwsIOException, servletexception {xsshttpservletrequestwrapper xssrequest=NewXsshttpservletrequestwrapper ((httpservletrequest) request); Filterchain.dofilter (xssrequest, response); }}
Wrapper:
/*** <code>{@linkxsshttpservletrequestwrapper}</code> * * todo:document Me * *@authorAdministrator*/ Public classXsshttpservletrequestwrapperextendshttpservletrequestwrapper {httpservletrequest orgrequest=NULL; PublicXsshttpservletrequestwrapper (HttpServletRequest request) {Super(Request); Orgrequest=request; } /*** Override the GetParameter method to filter the parameter names and values of the parameters into XSS. <br/> * If you need to get the original value, use Super.getparametervalues (name) to get <br/> * getparameternames, Getparametervalues and Getparametermap may also need to cover*/@Override Publicstring GetParameter (string name) {String Value=Super. GetParameter (Xssencode (name)); if(Value! =NULL) {Value=Xssencode (value); } returnvalue; } /*** Override the GetHeader method to filter the parameter names and values of the parameters into XSS. <br/> * If you need to get the original value, getting <br/> * getheadernames via Super.getheaders (name) may also need to overwrite*/@Override Publicstring GetHeader (string name) {String Value=Super. GetHeader (Xssencode (name)); if(Value! =NULL) {Value=Xssencode (value); } returnvalue; } /*** Replace half-width characters that cause XSS vulnerabilities directly with the perfect corner character * *@paramS *@return */ Private Staticstring Xssencode (string s) {if(s = =NULL|| "". Equals (s)) { returns; } StringBuilder SB=NewStringBuilder (s.length () + 16); for(inti = 0; I < s.length (); i++) { Charc =S.charat (i); Switch(c) { Case' > ': Sb.append (' > ');//full width greater than sign Break; Case' < ': Sb.append (' ');//full-width less than sign Break; Case‘\‘‘: Sb.append (‘‘‘);//Full Width single quotation mark Break; Case‘\"‘: Sb.append (‘“‘);//full-width double quotes Break; Case' & ': Sb.append (‘&‘);//Full Width Break; Case‘\\‘: Sb.append (‘\‘);//full-width slash Break; Case‘#‘: Sb.append (‘#‘);//Full-width well number Break; default: Sb.append (c); Break; } } returnsb.tostring (); } /*** Get the most original request * *@return */ Publichttpservletrequest getorgrequest () {returnorgrequest; } /*** Static method to get the most original request * *@return */ Public Statichttpservletrequest getorgrequest (httpservletrequest req) {if(reqinstanceofxsshttpservletrequestwrapper) { return((xsshttpservletrequestwrapper) req). Getorgrequest (); } returnreq; }}
Prevent SQL injection and XSS attack filter