XSSFilter.java
public void doFilter(ServletRequest servletrequest, ServletResponse servletresponse, FilterChain filterchain) throws IOException, ServletException { //flag = true 只做URL验证; flag = false 做所有字段的验证; boolean flag = true; if(flag){ //只对URL做xss校验 HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest; HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse; String requesturi = httpServletRequest.getRequestURL().toString(); requesturi = URLDecoder.decode(requesturi, "UTF-8"); if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return; } if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return; } if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return ; } if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){ filterchain.doFilter(servletrequest, servletresponse); return ; } RequestWrapper rw = new RequestWrapper(httpServletRequest); String param = httpServletRequest.getQueryString(); if(!"".equals(param) && param != null) { param = URLDecoder.decode(param, "UTF-8"); String originalurl = requesturi + param; String sqlParam = param; //添加sql注入的判断 if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){ sqlParam = rw.cleanSQLInject(param); } String xssParam = rw.cleanXSS(sqlParam); requesturi += "?"+xssParam; if(!xssParam.equals(param)){ System.out.println("requesturi::::::"+requesturi); httpServletResponse.sendRedirect(requesturi); System.out.println("no entered."); // filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse); return ; } } filterchain.doFilter(servletrequest, servletresponse); }else{ //对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。 filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse); } }
public RequestWrapper(){ super(null); } public RequestWrapper(HttpServletRequest httpservletrequest) { super(httpservletrequest); } public String[] getParameterValues(String s) { String str[] = super.getParameterValues(s); if (str == null) { return null; } int i = str.length; String as1[] = new String[i]; for (int j = 0; j < i; j++) { as1[j] = cleanXSS(cleanSQLInject(str[j])); } return as1; } public String getParameter(String s) { String s1 = super.getParameter(s); if (s1 == null) { return null; } else { return cleanXSS(cleanSQLInject(s1)); } } public String getHeader(String s) { String s1 = super.getHeader(s); if (s1 == null) { return null; } else { return cleanXSS(cleanSQLInject(s1)); } } public String cleanXSS(String src) { String temp =src; System.out.println("xss---temp-->"+src); src = src.replaceAll("<", "<").replaceAll(">", ">"); // if (src.indexOf("address")==-1) // { src = src.replaceAll("\\(", "(").replaceAll("\\)", ")"); //} src = src.replaceAll("'", "'"); Pattern pattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE); Matcher matcher=pattern.matcher(src); src = matcher.replaceAll(""); pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE); matcher=pattern.matcher(src); src = matcher.replaceAll("\"\""); //增加脚本 src = src.replaceAll("script", "").replaceAll(";", "") .replaceAll("\"", "").replaceAll("@", "") .replaceAll("0x0d", "") .replaceAll("0x0a", "").replaceAll(",", ""); if(!temp.equals(src)){ System.out.println("输入信息存在xss攻击!"); System.out.println("原始输入信息-->"+temp); System.out.println("处理后信息-->"+src); } return src; } //需要增加通配,过滤大小写组合 public String cleanSQLInject(String src) { String temp =src; src = src.replaceAll("insert", "forbidI") .replaceAll("select", "forbidS") .replaceAll("update", "forbidU") .replaceAll("delete", "forbidD") .replaceAll("and", "forbidA") .replaceAll("or", "forbidO"); if(!temp.equals(src)){ System.out.println("输入信息存在SQL攻击!"); System.out.println("原始输入信息-->"+temp); System.out.println("处理后信息-->"+src); } return src; }
<filter> <filter-name>XssFilter</filter-name> <filter-class>cn.com.jsoft.xss.XSSFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!
源码下载地址:http://download.csdn.net/detail/xb12369/7145235