From d69ad096447492fba4ba9739fedca5f2b8e8fcd1 Mon Sep 17 00:00:00 2001
From: you <284908631@qq.com>
Date: Sat, 13 Feb 2021 11:56:31 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0xss=E8=BF=87=E6=BB=A4?=
 =?UTF-8?q?=EF=BC=8C=E5=88=AB=E5=86=8D=E5=86=B2=E4=BA=86=E5=88=AB=E5=86=8D?=
 =?UTF-8?q?=E5=86=B2=E4=BA=86=EF=BC=8C=E4=B8=8D=E6=83=B3CV?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 WebContent/WEB-INF/web.xml | 20 +++++++++
 src/filter/XSSFilter.java  | 89 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 src/filter/XSSFilter.java

diff --git a/WebContent/WEB-INF/web.xml b/WebContent/WEB-INF/web.xml
index 1bb65db..a9ad8ea 100644
--- a/WebContent/WEB-INF/web.xml
+++ b/WebContent/WEB-INF/web.xml
@@ -1,5 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
+  <servlet>
+  	<servlet-name>default</servlet-name>
+  	<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+  	<init-param>
+  		<param-name>debug</param-name>
+  		<param-value>0</param-value>
+  	</init-param>
+  	<init-param>
+  		<param-name>listings</param-name>
+  		<param-value>true</param-value>
+  	</init-param>
+  </servlet>
   <filter>
     <filter-name>CharacterEncodingFilter</filter-name>
     <filter-class>filter.CharacterEncodingFilter</filter-class>
@@ -8,6 +20,14 @@
     <filter-name>CharacterEncodingFilter</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
+  <filter>
+    <filter-name>XSSFilter</filter-name>
+    <filter-class>filter.XSSFilter</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>XSSFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
   <filter>
     <filter-name>AdminFilter</filter-name>
     <filter-class>filter.AdminFilter</filter-class>
diff --git a/src/filter/XSSFilter.java b/src/filter/XSSFilter.java
new file mode 100644
index 0000000..1a5f5a2
--- /dev/null
+++ b/src/filter/XSSFilter.java
@@ -0,0 +1,89 @@
+package filter;
+import java.util.regex.Matcher; 
+import java.util.regex.Pattern;
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+
+public class XSSFilter implements Filter {
+	public String filter(String htmlStr){
+		if(htmlStr == null) {
+			return null;
+		}
+        String regEx_script = "<script[^>]*?>[\\s\\S]*?<\\/script>"; // 定义script的正则表达式 
+        String regEx_style = "<style[^>]*?>[\\s\\S]*?<\\/style>"; // 定义style的正则表达式 
+        String regEx_html = "<[^>]+>"; // 定义HTML标签的正则表达式 
+         
+        Pattern p_script = Pattern.compile(regEx_script,Pattern.CASE_INSENSITIVE); 
+        Matcher m_script = p_script.matcher(htmlStr); 
+        htmlStr=m_script.replaceAll(""); // 过滤script标签 
+         
+        Pattern p_style=Pattern.compile(regEx_style,Pattern.CASE_INSENSITIVE); 
+        Matcher m_style=p_style.matcher(htmlStr); 
+        htmlStr=m_style.replaceAll(""); // 过滤style标签 
+         
+        Pattern p_html=Pattern.compile(regEx_html,Pattern.CASE_INSENSITIVE); 
+        Matcher m_html=p_html.matcher(htmlStr); 
+        htmlStr=m_html.replaceAll(""); // 过滤html标签 
+ 
+        return htmlStr.trim(); // 返回文本字符串 
+    } 
+	/**
+     * 一般使用ServletRequest对象获取表单提交的数据，
+     * （主要通过 getParameter() 和 getParameterValues()
+     * 方法获取），再此创建内部类Request,重写getParameter()
+     * 和 getParameterValues()，并在重写的两个方法中实现过滤 
+     */
+
+    class Request extends HttpServletRequestWrapper{// HttpServletRequest                                                                      //Wrapper是servletRequest的实现类
+
+        public Request(HttpServletRequest request) {
+            super(request);
+        }
+
+        @Override
+        public String getParameter(String name) {
+            // 返回过滤后的参数值
+            return filter(super.getRequest().getParameter(name));
+        }
+
+        @Override
+        public String[] getParameterValues(String name) {
+            // 获取所有参数值
+            String[] values = super.getRequest().getParameterValues(name);
+            // 通过循环对所有参数进行进行过滤
+            for(int i=0;i<values.length;i++){
+                values[i] = filter(values[i]);
+            }
+            return values;
+        }
+
+    }
+
+    /**
+     * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
+     */
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        /*if(encoding != null){
+            request.setCharacterEncoding(encoding);
+            //将request替换为重写后的request
+            request = new Request((HttpServletRequest) request);
+            response.setContentType("text/html; charset = "+encoding);
+        }*/
+    	request = new Request((HttpServletRequest) request);
+        chain.doFilter(request, response);
+    }
+
+    /**
+     * @see Filter#destroy()
+     */
+    public void destroy() {
+    }
+
+}