Filter Solution:
1. Put the Badinputfilter.java into their own source code;
Package com.accredit.common.badInput;
Import java.io.IOException;
Import Java.lang.reflect.Method;
Import java.util.ArrayList;
Import Java.util.HashMap;
Import Java.util.Iterator;
Import Java.util.Map;
Import Java.util.regex.Matcher;
Import Java.util.regex.Pattern;
Import java.util.regex.PatternSyntaxException;
Import javax.servlet.*;
Import Javax.servlet.http.HttpServletRequest;
Import Javax.servlet.http.HttpServletResponse;
/**
* Security Vulnerability Filter
*/
public class Badinputfilter implements Filter {
protected static String info = BadInputFilter.class.getName () + "/1.0";
private static final string[] String_array = new String[0];
protected Boolean escapequotes = false;
protected Boolean escapeanglebrackets = false;
protected Boolean escapejavascript = false;
Protected Hashmap<string, string> quoteshashmap = new HashMap ();
Protected Hashmap<string, string> anglebracketshashmap = new HashMap ();
Protected Hashmap<string, string> javascripthashmap = new HashMap ();
protected String allow = null;
Protected pattern[] allows = new pattern[0];
Protected pattern[] denies = new pattern[0];
protected String deny = null;
Protected Hashmap<string, string> parameterescapes = new HashMap ();
protected ServletContext ServletContext;
protected method Setlockedmethod;
Public Badinputfilter () {
This.quotesHashMap.put ("\" "," " ");
This.quotesHashMap.put ("'", "& #39;");
This.quotesHashMap.put ("'", "& #96;");
This.angleBracketsHashMap.put ("<", "<");
This.angleBracketsHashMap.put (">", ">");
This.javaScriptHashMap.put ("Document (. *) \" (. *) Cookie "," document& #46;& #99; Ookie ");
This.javaScriptHashMap.put ("eval (\\s*) \ (", "eval& #40;");
This.javaScriptHashMap.put ("settimeout (\\s*) \ (", "settimeout$1& #40;");
This.javaScriptHashMap.put ("setinterval (\\s*) \ (", "setinterval$1& #40;");
This.javaScriptHashMap.put ("execscript (\\s*) \ (", "exexscript$1& #40;");
This.javaScriptHashMap.put ("(? i) JavaScript (? i):", "javascript& #58;");
}
public Boolean getescapequotes () {
return this.escapequotes;
}
public void Setescapequotes (Boolean escapequotes) {
This.escapequotes = escapequotes;
if (!escapequotes) return;
This.parameterEscapes.putAll (THIS.QUOTESHASHMAP);
}
public Boolean getescapeanglebrackets () {
return this.escapeanglebrackets;
}
public void Setescapeanglebrackets (Boolean escapeanglebrackets) {
This.escapeanglebrackets = escapeanglebrackets;
if (!escapeanglebrackets) return;
This.parameterEscapes.putAll (THIS.ANGLEBRACKETSHASHMAP);
}
public Boolean getescapejavascript () {
return this.escapejavascript;
}
public void Setescapejavascript (Boolean escapejavascript) {
This.escapejavascript = Escapejavascript;
if (!escapejavascript) return;
This.parameterEscapes.putAll (THIS.JAVASCRIPTHASHMAP);
}
Public String Getallow () {
return this.allow;
}
public void Setallow (String allow) {
This.allow = Allow;
This.allows = Precalculate (allow);
This.servletContext.log ("Badinputfilter:allow =" + This.deny);
}
Public String Getdeny () {
return this.deny;
}
public void Setdeny (String deny) {
This.deny = Deny;
This.denies = Precalculate (Deny);
This.servletContext.log ("Badinputfilter:deny =" + Deny);
}
public void init (Filterconfig filterconfig) throws Servletexception {
This.servletcontext = Filterconfig.getservletcontext ();
Setallow (Filterconfig.getinitparameter ("Allow"));
Setdeny (Filterconfig.getinitparameter ("Deny"));
String Initparam = Filterconfig.getinitparameter ("Escapequotes");
if (Initparam!= null) {
Boolean flag = Boolean.parseboolean (Initparam);
Setescapequotes (flag);
}
Initparam = Filterconfig.getinitparameter ("Escapeanglebrackets");
if (Initparam!= null) {
Boolean flag = Boolean.parseboolean (Initparam);
Setescapeanglebrackets (flag);
}
Initparam = Filterconfig.getinitparameter ("Escapejavascript");
if (Initparam!= null) {
Boolean flag = Boolean.parseboolean (Initparam);
Setescapejavascript (flag);
}
This.servletContext.log (toString () + "initialized.");
}
public void Dofilter (ServletRequest request, servletresponse response, Filterchain Filterchain) throws IOException, servletexception {
if ((!) ( Request instanceof HttpServletRequest) | | (! (Response instanceof HttpServletResponse))) {
Filterchain.dofilter (request, response);
Return
}
if (!processallowsanddenies (request, response)) {
Return
}
FilterParameters (Request);
Filterchain.dofilter (request, response);
}
public boolean processallowsanddenies (ServletRequest request, servletresponse response) throws IOException, servletexception {
Map Parammap = Request.getparametermap ();
Iterator y = Parammap.keyset (). iterator ();
while (Y.hasnext ()) {
String name = (string) y.next ();
String[] values = request.getparametervalues (name);
if (!checkallowsanddenies (name, response)) {
return false;
}
if (values!= null) {
for (int i = 0; i < values.length; ++i) {
String value = Values[i];
if (!checkallowsanddenies (value, response)) {
return false;
}
}
}
}
return true;
}
public boolean checkallowsanddenies (String, servletresponse response) throws IOException, Servletexception {
if ((this.denies.length = 0) && (this.allows.length = = 0)) {
return true;
}
for (int i = 0; i < this.denies.length; ++i) {
Matcher m = This.denies[i].matcher (property);
if ((!m.find ()) | | (! (Response instanceof HttpServletResponse))) Continue
HttpServletResponse hres = (httpservletresponse) response;
Hres.senderror (403);
return false;
}
for (int i = 0; i < this.allows.length; ++i) {
Matcher m = This.allows[i].matcher (property);
if (M.find ()) {
return true;
}
}
if ((This.denies.length > 0) && (this.allows.length = = 0)) {
return true;
}
if (response instanceof HttpServletResponse) {
HttpServletResponse hres = (httpservletresponse) response;
Hres.senderror (403);
}
return false;
}
public void FilterParameters (ServletRequest request) {
Map Parammap = ((httpservletrequest) request). Getparametermap ();
try {
if (This.setlockedmethod = = null) {
This.setlockedmethod = Parammap.getclass (). GetMethod ("setlocked", new class[] {boolean.type});
}
This.setLockedMethod.invoke (Parammap, new object[] {boolean.false});
catch (Exception e) {
This.servletContext.log ("Badinputfilter:cannot filter parameters!");
}
Iterator Escapesiterator = This.parameterEscapes.keySet (). iterator ();
while (Escapesiterator.hasnext ()) {
String patternstring = (string) escapesiterator.next ();
Pattern pattern = pattern.compile (patternstring);
String[] Paramnames = (string[]) Parammap.keyset (). ToArray (String_array);
for (int i = 0; i < paramnames.length; ++i) {
String name = Paramnames[i];
Some special system parameters are not filtered (XML content, SQL statement)
if (("SQL". Equals (name)) | | ("Paramsql". Equals (name)) | | "Content". Equals (name) | | "Hightcontent". Equals (name)) {
Continue
}
String[] values = ((httpservletrequest) request). Getparametervalues (name);
Matcher Matcher = pattern.matcher (name);
Boolean namematch = Matcher.matches ();
if (Namematch) {
String newName = Matcher.replaceall ((String) This.parameterEscapes.get (patternstring));
Parammap.remove (name);
Parammap.put (newName, values);
This.servletContext.log ("Parameter name" + name + "matched pattern \" + patternstring + "\"). Remote Addr: "
+ ((httpservletrequest) request). GETREMOTEADDR ());
}
if (values!= null) {
for (int j = 0; j < values.length; ++j) {
String value = Values[j];
Matcher = Pattern.matcher (value);
Boolean valuematch = Matcher.find ();
if (!valuematch) {
Continue
}
String newvalue = Matcher.replaceall ((String) This.parameterEscapes.get (patternstring));
VALUES[J] = newvalue;
This.servletContext.log ("Parameter \" "+ name +" \ "" s value \ "" + Value + "\" matched pattern \ "" + patternstring
+ "\". Remote Addr: "+ ((httpservletrequest) request). GETREMOTEADDR ());
}
}
}
}
try {
if (This.setlockedmethod = = null) {
This.setlockedmethod = Parammap.getclass (). GetMethod ("setlocked", new class[] {boolean.type});
}
This.setLockedMethod.invoke (Parammap, new object[] {boolean.true});
catch (Exception LocalException1) {
}
}
Public String toString () {
return "Badinputfilter";
}
public void Destroy () {
}
Protected pattern[] Precalculate (String list) {
if (list = = null) return to new pattern[0];
List = List.trim ();
if (List.length () < 1) return to new pattern[0];
List = list + ",";
ArrayList reList = new ArrayList ();
while (List.length () > 0) {
int comma = List.indexof (', ');
if (comma < 0) break;
String pattern = list.substring (0, comma). Trim ();
try {
Relist.add (Pattern.compile (pattern));
catch (Patternsyntaxexception e) {
IllegalArgumentException iae = new IllegalArgumentException ("Syntax Error in Request filter pattern" + pattern);
Iae.initcause (e);
Throw iae;
}
List = list.substring (comma + 1);
}
pattern[] Rearray = new pattern[relist.size ()];
Return (pattern[]) Relist.toarray (Rearray);
}
}
2. By adding in Web.xml:
<filter>
<filter-name>BadInputFilter</filter-name>
<filter-class>com.accredit.common.badInput.BadInputFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value> (? i) script</param-value>
</init-param>
<init-param>
<param-name>escapeQuotes</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>escapeJavaScript</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>escapeAngleBrackets</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>BadInputFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Complete.