XSS漏洞解决方案之一：过滤器

一：web.xml文件

 

  <!-- 解决xss漏洞 -->

  <filter>

    <filter-name>xssFilter</filter-name>

     <filter-class>com.baidu.rigel.sandbox.core.filter.XSSFilter</filter-class>

  </filter>



  <!-- 解决xss漏洞 -->

  <filter-mapping>

    <filter-name>xssFilter</filter-name>

    <url-pattern>/*</url-pattern>

  </filter-mapping>

 

 

二：过滤器:XSSFilter.java

 

package com.rigel.sandbox.core.filter;



import java.io.IOException;



import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;



import com.rigel.sandbox.core.util.XssHttpServletRequestWrapper;



public class XSSFilter implements Filter {



	@Override

	public void init(FilterConfig filterConfig) throws ServletException {

	}



	@Override

	public void doFilter(ServletRequest request, ServletResponse response,

			FilterChain chain) throws IOException, ServletException {



		XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(

				(HttpServletRequest) request);

		chain.doFilter(xssRequest, response);

	}



	@Override

	public void destroy() {

	}



}

 

三：包装器：XssHttpServletRequestWrapper.java

 

package com.rigel.sandbox.core.util;



import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;



public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

	HttpServletRequest orgRequest = null;



	public XssHttpServletRequestWrapper(HttpServletRequest request) {

		super(request);

		orgRequest = request;

	}



	/**

	 * 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/>

	 * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>

	 * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖

	 */

	@Override

	public String getParameter(String name) {

		String value = super.getParameter(xssEncode(name));

		if (value != null) {

			value = xssEncode(value);

		}

		return value;

	}



	/**

	 * 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>

	 * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/>

	 * getHeaderNames 也可能需要覆盖

	 */

	@Override

	public String getHeader(String name) {



		String value = super.getHeader(xssEncode(name));

		if (value != null) {

			value = xssEncode(value);

		}

		return value;

	}



	/**

	 * 将容易引起xss漏洞的半角字符直接替换成全角字符

	 * 

	 * @param s

	 * @return

	 */

	private static String xssEncode(String s) {

		if (s == null || s.isEmpty()) {

			return s;

		}

		StringBuilder sb = new StringBuilder(s.length() + 16);

		for (int i = 0; i < s.length(); i++) {

			char c = s.charAt(i);

			switch (c) {

			case '>':

				sb.append(">");// 转义大于号

				break;

			case '<':

				sb.append("<");// 转义小于号

				break;

			case '\'':

				sb.append("'");// 转义单引号

				break;

			case '\"':

				sb.append(""");// 转义双引号

				break;

			case '&':

				sb.append("&");// 转义&

				break;

			default:

				sb.append(c);

				break;

			}

		}

		return sb.toString();

	}



	/**

	 * 获取最原始的request

	 * 

	 * @return

	 */

	public HttpServletRequest getOrgRequest() {

		return orgRequest;

	}



	/**

	 * 获取最原始的request的静态方法

	 * 

	 * @return

	 */

	public static HttpServletRequest getOrgRequest(HttpServletRequest req) {

		if (req instanceof XssHttpServletRequestWrapper) {

			return ((XssHttpServletRequestWrapper) req).getOrgRequest();

		}



		return req;

	}

}