1、下载jar包
xercesImpl.jar http://xerces.apache.org/mirrors.cgi#binary
batik.jar http://xmlgraphics.apache.org/batik/download.cgi
nekohtml.jar http://sourceforge.net/projects/nekohtml/
2、下载策略文件(里面有各个版本的策略文件)
http://central.maven.org/maven2/org/owasp/antisamy/antisamy-sample-configs/
策略文件详解https://blog.csdn.net/raychiu757374816/article/details/79016101
3、自定义过滤器
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XssFilter implements Filter {
@SuppressWarnings("unused")
private FilterConfig filterConfig;
public void destroy() {
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new RequestWrapper((HttpServletRequest) request), response);
}
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
}
4、自定义request类继承HttpServletRequestWrapper重写其中的部分方法
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.owasp.validator.html.AntiSamy;
import org.owasp.validator.html.CleanResults;
import org.owasp.validator.html.Policy;
import org.owasp.validator.html.PolicyException;
import org.owasp.validator.html.ScanException;
public class RequestWrapper extends HttpServletRequestWrapper {
public RequestWrapper(HttpServletRequest request) {
super(request);
}
@SuppressWarnings({ "rawtypes", "unchecked" })
public Map<String,String[]> getParameterMap(){
Map<String,String[]> request_map = super.getParameterMap();
Iterator iterator = request_map.entrySet().iterator();
while(iterator.hasNext()){
Map.Entry me = (Map.Entry)iterator.next();
String[] values = (String[])me.getValue();
for(int i = 0 ; i < values.length ; i++){
System.out.println(values[i]);
values[i] = xssClean(values[i]);
}
}
return request_map;
}
@SuppressWarnings({ "rawtypes", "unchecked" })
public String getParameter(String name) {
String v=super.getParameter(name);
if(v==null)
return null;
return xssClean(v);
}
@SuppressWarnings({ "rawtypes", "unchecked" })
public String[] getParameterValues(String name) {
String[] v=super.getParameterValues(name);
if(v==null || v.length==0)
return v;
for(int i=0;i<v.length;i++){
v[i]=xssClean(v[i]);
}
return v;
}
private String xssClean(String value) {
AntiSamy antiSamy = new AntiSamy();
try {
Policy policy = Policy.getInstance("/antisamy-slashdot.xml");
final CleanResults cr = antiSamy.scan(value, policy);
return cr.getCleanHTML();
} catch (ScanException e) {
e.printStackTrace();
} catch (PolicyException e) {
e.printStackTrace();
}
return value;
}
}
5、配置拦截器,拦截请求处理请求参数
<filter>
<filter-name>XSSFilter</filter-name>
<filter-class>org.jeecgframework.core.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XSSFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
引入完成。