WEB解决跨站脚本攻击过滤器

使用antisamy来过滤参数值，过滤到可疑的html及script标签，

过滤器XSSFilter源码如下;

import java.io.IOException;  

import javax.servlet.Filter;  
import javax.servlet.FilterChain;  
import javax.servlet.FilterConfig;  
import javax.servlet.ServletException;  
import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletRequest;  
public class XSSFilter implements Filter {  
  
    @Override  
    public void init(FilterConfig filterConfig) throws ServletException {  
    }  
  
    @Override  
    public void doFilter(ServletRequest request, ServletResponse response,  
            FilterChain chain) throws IOException, ServletException {  
        chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);  
    }  
  
    @Override  
    public void destroy() {  
    }  
  
}

import java.io.UnsupportedEncodingException;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;
public class XSSRequestWrapper extends HttpServletRequestWrapper {  
	private static Policy antiSamyPolicy;
	private static AntiSamy antiSamy;
    public XSSRequestWrapper(HttpServletRequest request) {  
        super(request);  
    }  
    @Override
	public Map getParameterMap() {

		Map request_map = super.getParameterMap();
		Iterator> iterator = request_map.entrySet().iterator();
		System.out.println("request_map" + request_map.size());
		while (iterator.hasNext()) {
			Map.Entry me = (Map.Entry) iterator.next();
			String[] values = (String[]) me.getValue();
			for (int i = 0; i < values.length; i++) {
				System.out.println(values[i]);
				values[i] = stripXSS(values[i]);
				System.out.println(values[i]);
			}
		}
		return request_map;
	}
	@Override  
    public String[] getParameterValues(String parameter) {  
        String[] values = super.getParameterValues(parameter);  
        if (values == null) {  
            return null;  
        }  
        int count = values.length;  
        String[] encodedValues = new String[count];  
        for (int i = 0; i < count; i++) {  
            encodedValues[i] = stripXSS(values[i]);  
        }  
  
        return encodedValues;  
    }  
  
    @Override  
    public String getParameter(String parameter) {  
        String value = super.getParameter(parameter);  
        return stripXSS(value);  
    }  
  
    @Override  
    public String getHeader(String name) {  
        String value = super.getHeader(name);  
        return stripXSS(value);  
    }  
  
    private String stripXSS(String value){  
    	//System.setProperty("org.owasp.esapi.resources", "D:/workspaceZookeeperGui/RSSgj/src");

        if (value != null) {  
			try {
				if(antiSamyPolicy==null){
					antiSamyPolicy = Policy.getInstance(XSSRequestWrapper.class.getClassLoader().getResourceAsStream("antisamy-slashdot-1.4.4.xml"));
					antiSamy= new AntiSamy();
				}
				CleanResults test = antiSamy.scan(value, antiSamyPolicy);
				List errors = test.getErrorMessages();
				if(errors.size()>0){
					System.out.println(new String(errors.toString().getBytes("iso-8859-1"),"utf-8"));
					value=test.getCleanHTML();
				}
			} catch (PolicyException | ScanException | UnsupportedEncodingException e1) {
				// TODO Auto-generated catch block
				e1.printStackTrace();
			}
        }  
        return value;  
    }  
      
}  

在web.xml里配置过滤器，添加如下：

	
	
		XSSFilter
		com.cn.common.filter.XSSFilter
	
	
		XSSFilter
		/*
	

参考：http://www.2cto.com/article/201410/342040.html