跨站点脚本拦截-filter

常规攻击预防,如果不做这样的测试你在表单提交的时候做如下测试,看看是什么效果;

package com.romeo.backbone.untils;

import java.io.UnsupportedEncodingException;

/**
 * 过滤危险的字符
 * 
 * @author aGuang
 * 
 */
public class DangerString {

	/*** 转义字符* @param value* @return */
	static public String filter(String value) {
		if (value == null) {
			return null;
		}
		StringBuffer result = new StringBuffer(value.length());
		for (int i = 0; i < value.length(); ++i) {
			switch (value.charAt(i)) {
			case '<':
				result.append("<");
				break;
			case '>':
				result.append(">");
				break;
			case '"':
				result.append(""");
				break;
			case '\'':
				result.append("'");
				break;
			case '%':
				result.append("%");
				break;
			case ';':
				result.append(";");
				break;
			case '(':
				result.append("(");
				break;
			case ')':
				result.append(")");
				break;
			case '&':
				result.append("&");
				break;
			case '+':
				result.append("+");
				break;
			default:
				result.append(value.charAt(i));
				break;
			}
		}
		return result.toString();
	}

	/**
	 * 过滤掉用户输入中的危险字符
	 * 
	 * @param value
	 * @return
	 */
	static public String filterDangerString(String value) {
		if (null == value)
			return null;
		value = value.replaceAll("script", "ipscrt");
		value = value.replaceAll("applet", "letapp");
		value = value.replaceAll("embed", "bedem");

		return value;
	}

	/**
	 * 将 inStr 转为 UTF - 8 的编码形式
	 * 
	 * @param inStr
	 *            输入字符串
	 * @return UTF - 8 的编码形式的字符串
	 * @throws UnsupportedEncodingException
	 */
	static public String toUTF(String inStr) throws UnsupportedEncodingException {
		String outStr = "";
		if (inStr != null) {
			// outStr=java.net.URLDecoder.decode(inStr);// 不用 decode 了 ,
			// 到这的时候就已经自动 decode 过了
			// 将字符串转为 UTF-8 编码形式
			outStr = new String(inStr.getBytes("iso-8859-1"), "UTF-8");
		}
		return outStr;
	}

}


package com.gwtjs.filter;

import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public class ParameterRequestWrapper extends HttpServletRequestWrapper {

	public ParameterRequestWrapper(HttpServletRequest request) {
		super(request);
	}

	private final Map<String, String[]> params;

	@Override
	public Enumeration<String> getParameterNames() {
		Vector<String> l = new Vector<String>(params.keySet());
		return l.elements();
	}

	@Override
	public String[] getParameterValues(String name) {
		Object v = params.get(name);
		if (v == null) {
			return null;
		} else if (v instanceof String[]) {
			return (String[]) v;
		} else if (v instanceof String) {
			return new String[] { (String) v };
		} else {
			return new String[] { v.toString() };
		}
	}

	@Override
	public String getParameter(String name) {
		Object v = params.get(name);
		if (v == null) {
			return null;
		} else if (v instanceof String[]) {
			String[] strArr = (String[]) v;
			if (strArr.length > 0) {
				return strArr[0];
			} else {
				return null;
			}
		} else if (v instanceof String) {
			return (String) v;
		} else {
			return v.toString();
		}
	}

}


package com.gwtjs.filter;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.log4j.Logger;

import com.romeo.backbone.untils.DangerString;

public class HttpServletParamsRequestFilter implements Filter {

	private static Logger logger = Logger.getLogger(HttpServletRequest.class);

	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException {
		HttpServletRequest req = (HttpServletRequest) request;
		String url = req.getRequestURL().toString();
		String ip = req.getRemoteAddr();
		String contextPath = req.getContextPath();
		logger.info(url);
		logger.info(ip);
		logger.info(contextPath);
		Map<String, String[]> parameterMap = req.getParameterMap();
		List<String> keys = new ArrayList<String>();
		keys.addAll(parameterMap.keySet());
		keys.addAll(parameterMap.keySet());
		for (int i = 0; i < keys.size(); i++) {
			String key = keys.get(i);
			String[] value = parameterMap.get(key);
			for (int j = 0; j < value.length; j++) {
				String val = DangerString.filter(value[j]);
				value[j] = val;
			}
		}
		ParameterRequestWrapper wrapRequest = new ParameterRequestWrapper(req,parameterMap);

		chain.doFilter(wrapRequest, response);
	}

	public void destroy() {
		// TODO Auto-generated method stub

	}

	public void init(FilterConfig arg0) throws ServletException {
		// TODO Auto-generated method stub

	}

}







你可能感兴趣的:(跨站点脚本拦截-filter)