防御之前
Web常用攻击手段之XSS脚本 防御之后
Web常用攻击手段之XSS脚本 如何防御?
代码实现
//重写getParameter方法, 对特殊字符进行转义
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest httpServletRequest;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.httpServletRequest = request;
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (!StringUtils.isEmpty(value)) {
return StringEscapeUtils.escapeHtml(value);
}
return value;
}
}
//使用过滤器统一处理
@WebFilter(urlPatterns = "/*")
public class XssFilter implements Filter {
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper((HttpServletRequest) servletRequest);
filterChain.doFilter(xssHttpServletRequestWrapper, servletResponse);
}
}
