最近需要写个xss过滤器,将访问网站的所有请求参数都进行xss过滤,过滤的api使用的是antisamy-1.4.4
java代码
public class XssFilter implements Filter {
private static final Logger log = LoggerFactory.getLogger(XssFilter.class);
public static final String POLICY_FILE_LOCATION = "antisamy-slashdot-1.4.4.xml";
private List<String> filterChainDefinitions;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
String path = ((HttpServletRequest) request).getContextPath();
String uri = ((HttpServletRequest) request).getRequestURI().replace(path, "");
Map m = request.getParameterMap();
if (matchUri(uri)) {
try {
m = this.clearRequestPra(request,new HashMap());
} catch (Exception e) {
log.info(e.toString());
}
}
ParameterRequestWrapper wrapRequest=new ParameterRequestWrapper(((HttpServletRequest) request),m);
chain.doFilter(wrapRequest, response);
}
private Map clearRequestPra(ServletRequest request,Map m)
{
Map params = request.getParameterMap();
Set<String> keys = params.keySet();
for (String key : keys) {
Object value = params.get(key);
if (value instanceof String[]) {
value = (String[])value;
String[] str = (String[])value;
int i =0;
for(String v:(String[])value)
{
v = this.scan(v);
str[i] = new String(v);
i++;
}
m.put(key,str);
}
else
{
m.put(key,value);
}
}
return m;
}
private String scan(String content)
{
String cleanHtml = "";
try{
Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);
AntiSamy as = new AntiSamy();
CleanResults cr = as.scan(content, policy);
cleanHtml = cr.getCleanHTML();
}
catch(Exception e)
{
log.info(e.toString());
}
return cleanHtml;
}
private boolean matchUri(String uri)
{
for(String pattern:filterChainDefinitions)
{
if(Pattern.matches(pattern,uri))
{
return true;
}
}
return false;
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
public List<String> getFilterChainDefinitions() {
return filterChainDefinitions;
}
public void setFilterChainDefinitions(List<String> filterChainDefinitions) {
this.filterChainDefinitions = filterChainDefinitions;
}
}
application-context-security.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd"
default-lazy-init="true">
<description>Security Config</description>
<!-- Shiro Filter -->
<bean id="xssFilter" class="com.shurrik.security.XssFilter">
<property name="filterChainDefinitions">
<list>
<!-- <value>^/module.*</value> -->
<value>^/.*</value>
</list>
</property>
</bean>
</beans>
web.xml
<!-- Xss filter--> <filter> <filter-name>xssFilter</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>targetFilterLifecycle</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>targetBeanName</param-name> <param-value>xssFilter</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> </filter-mapping>