web.xml添加过滤器
<!--XssFileter-->
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.thinkgem.jeesite.test.response.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
简化代码版本
过滤器代码
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
//使用包装器
XssFilterWrapper xssFilterWrapper=new XssFilterWrapper((HttpServletRequest) servletRequest);
filterChain.doFilter(xssFilterWrapper,servletResponse);
}
@Override
public void destroy() {
}
}
过滤器包装器代码
import org.springframework.web.util.HtmlUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class XssFilterWrapper extends HttpServletRequestWrapper {
public XssFilterWrapper(HttpServletRequest request) {
super(request);
}
/**
* 对数组参数进行特殊字符过滤
*/
@Override
public String[] getParameterValues(String name) {
//过滤掉不拦截的
if("articleData.content".equalsIgnoreCase(name)){
return super.getParameterValues(name);
}
String[] values = super.getParameterValues(name);
if (values == null) {
return null;
}
String[] newValues = new String[values.length];
for (int i = 0; i < values.length; i++) {
newValues[i] = HtmlUtils.htmlEscape(values[i]);//spring的HtmlUtils进行转义
}
return newValues;
}
}
总结:
主要是使用Java Web的过滤器,将所有的request请求参数修改(主要是把存在xss风险的标签转义,如:<script></script>),在转义时我没有自己实现替换与转义,是直接使用的spring自带的HtmlUtils类的htmlEscape方法转义的,方便很多
