jsp過濾非法字元輸入，防止XSS跨站攻擊

一。寫一個過濾器

代碼如下：

package com.liufeng.sys.filter;

import java.io.ioexception;

import java.io.printwriter;

import javax.servlet.filter;

import javax.servlet.filterchain;

import javax.servlet.filterconfig;

import javax.servlet.servletexception;

import javax.servlet.servletrequest;

import javax.servlet.servletresponse;

import javax.servlet.http.httpservletrequest;

import javax.servlet.http.httpservletresponse;

public class illegalcharacterfilter implements filter {

 private string[] characterparams = null;

 private boolean ok=true;

 public void destroy() {

  // todo auto-generated method stub

 }

 /**

  * 此程式塊主要用來解決參數帶非法字元等過濾功能

  */

 public void dofilter(servletrequest request, servletresponse response,

   filterchain arg2) throws ioexception, servletexception {

  httpservletrequest servletrequest = (httpservletrequest) request;

  httpservletresponse servletresponse = (httpservletresponse) response; 

  boolean status = false;  

   java.util.enumeration params = request.getparameternames();

   string param="";

   string paramvalue = "";

   servletresponse.setcontenttype("text/html");

   servletresponse.setcharacterencoding("utf-8");

   while (params.hasmoreelements()) {

    param = (string) params.nextelement();

    string[] values = request.getparametervalues(param);

    paramvalue = "";

    if(ok){//過濾字元串為0個時 不對字元過濾

    for (int i = 0; i < values.length; i++)

      paramvalue=paramvalue+values[i];

    for(int i=0;i<characterparams.length;i++)

     if (paramvalue.indexof(characterparams[i]) >= 0) {

      status = true;

      break;

     }

    if(status)break;

    }

   }

//   system.out.println(param+"="+paramvalue+";");

   if (status) {

    printwriter out = servletresponse.getwriter();

    out

        // + servletrequest.getrequesturl()

         + "window.history.go(-1);</script>");

   }else

   arg2.dofilter(request, response);

 public void init(filterconfig config) throws servletexception {

  if(config.getinitparameter("characterparams").length()<1)

   ok=false;

  else

  this.characterparams = config.getinitparameter("characterparams").split(",");

}

二。在web.xml檔案中加入如下内容：

<!-- 非法字元過濾器 -->

 <filter>

  <filter-name>illegalcharacterfilter</filter-name>

  <filter-class>

   com.liufeng.sys.filter.illegalcharacterfilter

  </filter-class>

  <init-param>

   <param-name>characterparams</param-name>

   <param-value>',@</param-value><!-- 此處加入要過濾的字元或字元串，以逗号隔開 -->

  </init-param>

 </filter>

 <filter-mapping>

  <url-pattern>/*</url-pattern>

 </filter-mapping>

重新開機你的伺服器就ok了。

這樣，增加此過濾器後能提高網站的安全，防止sql注入，防止跨站腳本xss等。