• Home
• com.diboot
• diboot-framework
• 1.5.1
• source code
• CustomHttpServletRequestWrapper.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.diboot.framework.security.CustomHttpServletRequestWrapper Maven / Gradle / Ivy

package com.diboot.framework.security;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.regex.Pattern;

/***
 * 自定义request包装类
 * @author [email protected]
 * @version 2017年11月25日
 *
 */
public class CustomHttpServletRequestWrapper extends HttpServletRequestWrapper {
	private static final Logger logger = LoggerFactory.getLogger(CustomHttpServletRequestWrapper.class);

	private static Pattern[] patterns = new Pattern[]{
		// Script fragments
		Pattern.compile("", Pattern.CASE_INSENSITIVE),
		// src='...' 暂时允许 
		//Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
		//Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
		// lonely script tags
		Pattern.compile("", Pattern.CASE_INSENSITIVE),
		Pattern.compile("", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
		// eval(...)
		Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
		// expression(...)
		Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
		// javascript:...
		Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
		// vbscript:...
		Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
		// onload(...)=...
		Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)
	};

	/**
	 * 原始request
	 */
	HttpServletRequest originalRequest = null;  
	
	public CustomHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
		originalRequest = request;
	}
	
	/***
	 * 获取原始request（未转码）
	 * @return
	 */
	public HttpServletRequest getOriginalRequest(){
		return originalRequest;
	}

    
    /** 
     * 覆盖getParameterMap方法，将参数值做xss转码
    @Override 
    public Map getParameterMap() {
    	Map map = super.getParameterMap();
    	if(V.notEmpty(map)){
    		for(Map.Entry entry : map.entrySet()){
    			String[] values = entry.getValue();
    			if(V.notEmpty(values)){
    				for(int i=0; i