com.github.yydf.struts.security.XSSHttpServletRequestWrapper Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of struts Show documentation
Show all versions of struts Show documentation
A simple, light Java WEB + ORM framework.
package com.github.yydf.struts.security;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* XSS过滤器
*
* @author YYDF
*
*/
public class XSSHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XSSHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
* 重写getParameter
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (value != null)
return xssEncode(value, true);
return null;
}
/**
* 重写getHeader
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (value != null)
return xssEncode(value, false);
return null;
}
/**
* 将容易引起xss漏洞的半角字符直接替换成全角字符
*
* @param s 原内容
* @param parameter 是否为parameter
* @return 过滤后内容
*/
private static String xssEncode(String s, boolean parameter) {
if (s == null || s.isEmpty()) {
return s;
}
if (parameter) {
s = replace(s, "null", "");
s = replace(s, "undefined", "");
s = replace(s, "NaN", "");
}
s = replace(s, "<", "<");
s = replace(s, ">", ">");
s = replace(s, "\\(", "(");
s = replace(s, "\\)", ")");
s = replace(s, "'", "'");
s = replace(s, "eval\\((.*)\\)", "");
s = replace(s, "[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
s = replace(s, "script", "");
return s;
}
private static String replace(String str, String str1, String str2) {
if (str.length() > 0)
str = str.replaceAll(str1, str2);
return str;
}
}