一而再_再而三

  博客园 :: 首页 :: 新随笔 :: 联系 :: 订阅 :: 管理 ::
Xss过滤,只json型数据过滤,图片文件不过滤,采用jsoup

package com.huaji.fes.filter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

  public XssHttpServletRequestWrapper(HttpServletRequest request) {
    super(request);
  }

  @Override
  public String getParameter(String name) {
    return clearXss(super.getParameter(name));
  }


  @Override
  public String getHeader(String name) {
    return clearXss(super.getHeader(name));
  }
  @Override 

  public String[] getParameterValues(String name) {
    String[] values = super.getParameterValues(name);
    if (values == null) {
      return null;
    }
    String[] newValues = new String[values.length];
    for (int i = 0; i < values.length; i++) {
      newValues[i] = clearXss(values[i]);
    }
    return newValues;
  }

/**
* 处理字符转义
* @param value
* @return
*/
private String clearXss(String value) {
  if (value == null || "".equals(value)) {
    return value;
  }
  return Jsoup.clean(value, Whitelist.basic());
  }
}

自定义过滤器

package com.huaji.fes.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.commons.lang.StringUtils;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;

import com.jfinal.kit.StrKit;

public class XssFilter implements Filter {

private CommonsMultipartResolver multipartResolver = new CommonsMultipartResolver();

  @Override
  public void destroy() {

  }

  @Override
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
    throws IOException, ServletException {
    String contentType = request.getContentType();
    if (StrKit.notBlank(contentType) && contentType.contains("multipart/form-data")) {// 文件上传请求 *特殊请求
      MultipartHttpServletRequest multiReq = multipartResolver.resolveMultipart((HttpServletRequest) request);
      request = multiReq;// 将转化后的reuqest赋值到过滤链中的参数 *重要
    }
    chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);// 对request和response进行过滤
  }

  @Override
  public void init(FilterConfig arg0) throws ServletException {

  }

}

 

posted on 2017-12-26 17:04  一而再_再而三  阅读(1096)  评论(0)    收藏  举报