xss漏洞,添加xssFilter后,乱码,解决方法
/*
*
* 更改所生成文件模板为
* 窗口 > 首选项 > Java > 代码生成 > 代码和注释
*/
package com.bmcc.adc.filter;
import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class XssFilter implements Filter {
private HashMap urls = new HashMap();
public void destroy() {
// TODO 自动生成方法存根
}
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
//设置编码格式 add by zhangna
arg0.setCharacterEncoding("GBK"); //该代码进行了编码设置,防止传输中文乱码
// TODO 自动生成方法存根
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
String requrl = request.getRequestURI();
System.err.println(requrl);
if(requrl!=null&&requrl.indexOf("add_xss_update_filter_urls")!=-1){
urls.put(request.getParameter("url"), null);
System.err.println("xss add =[["+request.getParameter("url")+"]]");
}
if(requrl!=null&&requrl.indexOf("remove_xss_update_filter_urls")!=-1){
urls.remove(request.getParameter("url"));
System.err.println("xss remove =[["+request.getParameter("url")+"]]");
}
if(requrl!=null&&requrl.indexOf("list_xss_update_filter_urls")!=-1){
for (Iterator iter = urls.keySet().iterator(); iter.hasNext();) {
String element = (String) iter.next();
System.err.println("xss item =[["+element+"]]");
}
}
if (urls.containsKey(requrl)) {
if (!canDo(request, response)) {
response.sendRedirect("/index/");
return;
}
System.err.println("passed");
}
arg2.doFilter(arg0, arg1);
}
public void init(FilterConfig arg0) throws ServletException {
// TODO 自动生成方法存根
Enumeration configs = arg0.getInitParameterNames();
while (configs.hasMoreElements()) {
String element = (String) configs.nextElement();
urls.put(arg0.getInitParameter(element), null);
}
}
private boolean canDo(HttpServletRequest req, HttpServletResponse resp) {
Enumeration params = req.getParameterNames();
if(params!=null){
while (params.hasMoreElements()) {
String element = (String) params.nextElement();
String param = req.getParameter(element);
System.err.println("xss----------paramname=["+element+"]-----paramvalue=["+param+"]");
Pattern p = Pattern.compile("SCRIPT||DOCUMENT|ALERT");
Matcher m = p.matcher(param.toUpperCase());
if(m.find()){
return false;
}
m = p.matcher(element.toUpperCase());
if(m.find()){
return false;
}
}
return true;
}
return true;
}
*
* 更改所生成文件模板为
* 窗口 > 首选项 > Java > 代码生成 > 代码和注释
*/
package com.bmcc.adc.filter;
import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class XssFilter implements Filter {
private HashMap urls = new HashMap();
public void destroy() {
// TODO 自动生成方法存根
}
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
//设置编码格式 add by zhangna
arg0.setCharacterEncoding("GBK"); //该代码进行了编码设置,防止传输中文乱码
// TODO 自动生成方法存根
HttpServletRequest request = (HttpServletRequest) arg0;
HttpServletResponse response = (HttpServletResponse) arg1;
String requrl = request.getRequestURI();
System.err.println(requrl);
if(requrl!=null&&requrl.indexOf("add_xss_update_filter_urls")!=-1){
urls.put(request.getParameter("url"), null);
System.err.println("xss add =[["+request.getParameter("url")+"]]");
}
if(requrl!=null&&requrl.indexOf("remove_xss_update_filter_urls")!=-1){
urls.remove(request.getParameter("url"));
System.err.println("xss remove =[["+request.getParameter("url")+"]]");
}
if(requrl!=null&&requrl.indexOf("list_xss_update_filter_urls")!=-1){
for (Iterator iter = urls.keySet().iterator(); iter.hasNext();) {
String element = (String) iter.next();
System.err.println("xss item =[["+element+"]]");
}
}
if (urls.containsKey(requrl)) {
if (!canDo(request, response)) {
response.sendRedirect("/index/");
return;
}
System.err.println("passed");
}
arg2.doFilter(arg0, arg1);
}
public void init(FilterConfig arg0) throws ServletException {
// TODO 自动生成方法存根
Enumeration configs = arg0.getInitParameterNames();
while (configs.hasMoreElements()) {
String element = (String) configs.nextElement();
urls.put(arg0.getInitParameter(element), null);
}
}
private boolean canDo(HttpServletRequest req, HttpServletResponse resp) {
Enumeration params = req.getParameterNames();
if(params!=null){
while (params.hasMoreElements()) {
String element = (String) params.nextElement();
String param = req.getParameter(element);
System.err.println("xss----------paramname=["+element+"]-----paramvalue=["+param+"]");
Pattern p = Pattern.compile("SCRIPT||DOCUMENT|ALERT");
Matcher m = p.matcher(param.toUpperCase());
if(m.find()){
return false;
}
m = p.matcher(element.toUpperCase());
if(m.find()){
return false;
}
}
return true;
}
return true;
}
}
配置文件: