防禦之前
防禦之後
如何防禦?
代碼實作
//重寫getParameter方法, 對特殊字元進行轉義
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest httpServletRequest;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.httpServletRequest = request;
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (!StringUtils.isEmpty(value)) {
return StringEscapeUtils.escapeHtml(value);
}
return value;
}
}
//使用過濾器統一處理
@WebFilter(urlPatterns = "/*")
public class XssFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper((HttpServletRequest) servletRequest);
filterChain.doFilter(xssHttpServletRequestWrapper, servletResponse);
}
}