• Home
• com.github.yydf
• struts
• 1.0.0
• source code
• XSSHttpServletRequestWrapper.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.github.yydf.struts.security.XSSHttpServletRequestWrapper Maven / Gradle / Ivy

package com.github.yydf.struts.security;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * XSS过滤器
 * 
 * @author YYDF
 *
 */
public class XSSHttpServletRequestWrapper extends HttpServletRequestWrapper {

	public XSSHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
	}

	/**
	 * 重写getParameter
	 */
	@Override
	public String getParameter(String name) {
		String value = super.getParameter(name);
		if (value != null)
			return xssEncode(value, true);
		return null;
	}

	/**
	 * 重写getHeader
	 */
	@Override
	public String getHeader(String name) {
		String value = super.getHeader(name);
		if (value != null)
			return xssEncode(value, false);
		return null;
	}

	/**
	 * 将容易引起xss漏洞的半角字符直接替换成全角字符
	 *
	 * @param s 原内容
	 * @param parameter 是否为parameter
	 * @return 过滤后内容
	 */
	private static String xssEncode(String s, boolean parameter) {
		if (s == null || s.isEmpty()) {
			return s;
		}
		if (parameter) {
			s = replace(s, "null", "");
			s = replace(s, "undefined", "");
			s = replace(s, "NaN", "");
		}
		s = replace(s, "<", "<");
		s = replace(s, ">", ">");
		s = replace(s, "\\(", "(");
		s = replace(s, "\\)", ")");
		s = replace(s, "'", "'");
		s = replace(s, "eval\\((.*)\\)", "");
		s = replace(s, "[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
		s = replace(s, "script", "");
		return s;
	}

	private static String replace(String str, String str1, String str2) {
		if (str.length() > 0)
			str = str.replaceAll(str1, str2);
		return str;
	}
}