原理略解:防止夸脚本工具,主要是讲客户端请求的内容进行过滤处理
使用HttpServletRequestWrapper 包装器对请求的内容进行过滤处理
注意:maven需要导入Hutool库
XssHttpServletRequestWrapper过滤类
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (!StrUtil.hasEmpty(value)) {
// 转义字符
value = HtmlUtil.filter(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values != null) {
for (int i = 0; i < values.length; i++) {
String value = values[i];
if (!StrUtil.hasEmpty(value)) {
// 转义字符
value = HtmlUtil.filter(value);
}
values[i] = value;
}
}
return values;
}
@Override
public Map<String, String[]> getParameterMap() {
Map<String, String[]> parameters = super.getParameterMap();
LinkedHashMap<String, String[]> map = new LinkedHashMap<>();
if (parameters != null) {
for (String key : parameters.keySet()) {
String[] values = parameters.get(key);
for (int i = 0; i < values.length; i++) {
String value = values[i];
if (!StrUtil.hasEmpty(value)) {
// 转义字符
value = HtmlUtil.filter(value);
}
values[i] = value;
}
map.put(key, values);
}
}
return map;
}
@Override
public String getHeader(String name) {
String header = super.getParameter(name);
if (!StrUtil.hasEmpty(header)) {
// 转义字符
header = HtmlUtil.filter(header);
}
return header;
}
@Override
public ServletInputStream getInputStream() throws IOException {
StringBuffer body = new StringBuffer();
ServletInputStream sis = super.getInputStream();
InputStreamReader isr = new InputStreamReader(sis, Charset.forName("UTF-8"));
BufferedReader br = new BufferedReader(isr);
String line = br.readLine();
while (line != null) {
body.append(line);
line = br.readLine();
}
br.close();
isr.close();
sis.close();
Map<String, Object> map = JSONUtil.parseObj(body.toString());
Map<String, Object> resultMap = new HashMap<>(map.size());
for (String key : map.keySet()) {
Object value = map.get(key);
if (value instanceof String) {
String val = HtmlUtil.filter(value.toString());
resultMap.put(key, val);
} else {
resultMap.put(key, value);
}
}
String str = JSONUtil.toJsonStr(resultMap);
ByteArrayInputStream arrayInputStream = new ByteArrayInputStream(str.getBytes());
return new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() throws IOException {
return arrayInputStream.read();
}
};
}
}
设置过滤器,这里没有使用@Bean的方式
@WebFilter(urlPatterns = "/*")
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
XssHttpServletRequestWrapper wrapper = new XssHttpServletRequestWrapper(request);
filterChain.doFilter(wrapper, servletResponse);
}
@Override
public void destroy() {
}
}
主启动类加上@ServletComponentScan让自定义过滤器生效
网友评论