使用Fileter防止XSS攻击

什么是XSS攻击:
XSS攻击使用Javascript脚本注入进行攻击
例如在表单中注入:
fromToXss.jsp:

<%@ page language="java" contentType="text/html; charset=UTF-8"
	pageEncoding="UTF-8"%>







	

		 
	

XssDemo:

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet("/XssDemo")
public class XssDemo extends HttpServlet {

	@Override
	protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
		String userName = req.getParameter("userName");
		req.setAttribute("userName", userName);
		req.getRequestDispatcher("showUserName.jsp").forward(req, resp);
	}
	

}

showUserName.jsp:

<%@ page language="java" contentType="text/html; charset=UTF-8"
	pageEncoding="UTF-8"%>







userName:${userName}

使用Fileter过滤器过滤器注入标签:

import java.io.IOException;
import java.util.Map;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * 使用Filter 打印参数
 * 
 * @author Administrator
 *
 */

public class FilterDemo implements Filter {
	public FilterDemo() {
		System.out.println("FilterDemo 构造函数被执行...");
	}

	/**
	 * 销毁
	 */
	public void destroy() {
		System.out.println("destroy");
	}

	public void doFilter(ServletRequest paramServletRequest, ServletResponse paramServletResponse,
			FilterChain paramFilterChain) throws IOException, ServletException {
		System.out.println("doFilter");
		HttpServletRequest request = (HttpServletRequest) paramServletRequest;
		XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(request);
		// HttpServletResponse response = (HttpServletResponse)
		// paramServletResponse;
		// // 请求地址
		// String requestURI = request.getRequestURI();
		// System.out.println("requestURI:" + requestURI);
		// // 参数
		// Map parameterMap = request.getParameterMap();
		// for (String key : parameterMap.keySet()) {
		// String[] arr = parameterMap.get(key);
		// System.out.print("key:");
		// for (String string : arr) {
		// System.out.println(string);
		// }
		// }
		paramFilterChain.doFilter(xssRequestWrapper, paramServletResponse);

	}
	/**
	 * 初始化
	 */
	public void init(FilterConfig paramFilterConfig) throws ServletException {
		System.out.println("init");
	}
}

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;

/**
 * 防止XSS攻击
 */
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
	HttpServletRequest request;
	public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
		this.request = request;
	}
	@Override
	public String getParameter(String name) {
		String value = request.getParameter(name);
		System.out.println("name:" + name + "," + value);
		if (!StringUtils.isEmpty(value)) {
			// 转换Html
			value = StringEscapeUtils.escapeHtml4(value);
		}
		return value;
	}
}