|
|
|
|
@ -0,0 +1,89 @@
|
|
|
|
|
package filter;
|
|
|
|
|
import java.util.regex.Matcher;
|
|
|
|
|
import java.util.regex.Pattern;
|
|
|
|
|
import java.io.IOException;
|
|
|
|
|
import javax.servlet.Filter;
|
|
|
|
|
import javax.servlet.FilterChain;
|
|
|
|
|
import javax.servlet.ServletException;
|
|
|
|
|
import javax.servlet.ServletRequest;
|
|
|
|
|
import javax.servlet.ServletResponse;
|
|
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
|
|
import javax.servlet.http.HttpServletRequestWrapper;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public class XSSFilter implements Filter {
|
|
|
|
|
public String filter(String htmlStr){
|
|
|
|
|
if(htmlStr == null) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
String regEx_script = "<script[^>]*?>[\\s\\S]*?<\\/script>"; // 定义script的正则表达式
|
|
|
|
|
String regEx_style = "<style[^>]*?>[\\s\\S]*?<\\/style>"; // 定义style的正则表达式
|
|
|
|
|
String regEx_html = "<[^>]+>"; // 定义HTML标签的正则表达式
|
|
|
|
|
|
|
|
|
|
Pattern p_script = Pattern.compile(regEx_script,Pattern.CASE_INSENSITIVE);
|
|
|
|
|
Matcher m_script = p_script.matcher(htmlStr);
|
|
|
|
|
htmlStr=m_script.replaceAll(""); // 过滤script标签
|
|
|
|
|
|
|
|
|
|
Pattern p_style=Pattern.compile(regEx_style,Pattern.CASE_INSENSITIVE);
|
|
|
|
|
Matcher m_style=p_style.matcher(htmlStr);
|
|
|
|
|
htmlStr=m_style.replaceAll(""); // 过滤style标签
|
|
|
|
|
|
|
|
|
|
Pattern p_html=Pattern.compile(regEx_html,Pattern.CASE_INSENSITIVE);
|
|
|
|
|
Matcher m_html=p_html.matcher(htmlStr);
|
|
|
|
|
htmlStr=m_html.replaceAll(""); // 过滤html标签
|
|
|
|
|
|
|
|
|
|
return htmlStr.trim(); // 返回文本字符串
|
|
|
|
|
}
|
|
|
|
|
/**
|
|
|
|
|
* 一般使用ServletRequest对象获取表单提交的数据,
|
|
|
|
|
* (主要通过 getParameter() 和 getParameterValues()
|
|
|
|
|
* 方法获取),再此创建内部类Request,重写getParameter()
|
|
|
|
|
* 和 getParameterValues(),并在重写的两个方法中实现过滤
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
class Request extends HttpServletRequestWrapper{// HttpServletRequest //Wrapper是servletRequest的实现类
|
|
|
|
|
|
|
|
|
|
public Request(HttpServletRequest request) {
|
|
|
|
|
super(request);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public String getParameter(String name) {
|
|
|
|
|
// 返回过滤后的参数值
|
|
|
|
|
return filter(super.getRequest().getParameter(name));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public String[] getParameterValues(String name) {
|
|
|
|
|
// 获取所有参数值
|
|
|
|
|
String[] values = super.getRequest().getParameterValues(name);
|
|
|
|
|
// 通过循环对所有参数进行进行过滤
|
|
|
|
|
for(int i=0;i<values.length;i++){
|
|
|
|
|
values[i] = filter(values[i]);
|
|
|
|
|
}
|
|
|
|
|
return values;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
|
|
|
|
|
*/
|
|
|
|
|
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
|
|
|
|
|
/*if(encoding != null){
|
|
|
|
|
request.setCharacterEncoding(encoding);
|
|
|
|
|
//将request替换为重写后的request
|
|
|
|
|
request = new Request((HttpServletRequest) request);
|
|
|
|
|
response.setContentType("text/html; charset = "+encoding);
|
|
|
|
|
}*/
|
|
|
|
|
request = new Request((HttpServletRequest) request);
|
|
|
|
|
chain.doFilter(request, response);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @see Filter#destroy()
|
|
|
|
|
*/
|
|
|
|
|
public void destroy() {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
Gitee