tomcat 防xss 的一种实现

我的解决方法, 通过Servlet 过滤器 过滤请求

关键在于是如何在Filter取到post里的内容

通过继承javax.servlet.http.HttpServletRequestWrapper;类替换post里的非法字符

1:FormDataXssRequest类

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * 防xss,替换request
 * Created by keygod on 2016/3/10.
 */
public class FormDataXssRequest extends HttpServletRequestWrapper {
    /**
     * Constructs a request object wrapping the given request.
     *
     * @param request
     * @throws IllegalArgumentException if the request is null
     */
    public FormDataXssRequest(HttpServletRequest request) {
        super(request);
    }
    //替换非法字符
    private String clean(String s){
        s=s.replaceAll("<","<").replaceAll("script","").replaceAll("eval\\((.*)\\)","");
        return s;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] values = super.getParameterValues(name);
        if(values==null){
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for(int i= 0;ireturn encodedValues;
    }

}

2:XssFilter

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * Created by keygod on 2016/12/21.
 */
public class XssFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    //替换了request
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;

        String currentURL = req.getRequestURI();//截取当前文件名用于比较
        String head = req.getHeader("Content-Type");

        if(currentURL.contains(".jsp")||currentURL.contains(".do")||currentURL.equals("/")){
            System.out.println(head);
            if(head!=null){
                if(!head.contains("application/x-www-form-urlencoded")){//payload
                //文件上传
//                    chain.doFilter(new PayloadXssRequest(req),res);

                    chain.doFilter(req,res);
                }else {//form data

                    chain.doFilter(new FormDataXssRequest(req),res);
//                    chain.doFilter(req,res);
                }
            }else {
                chain.doFilter(req,res);
            }
        }else {
            chain.doFilter(req,res);
        }

    }

    @Override
    public void destroy() {

    }
}