反射型xss解决方法,增加过滤器，防止反射型 XSS攻击漏洞

大家好，又见面了，我是你们的朋友全栈君。

web.xml配置

    <filter>
		<filter-name>XSSFilter</filter-name>
		<filter-class>com.xxx.filter.NewXssFilter</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>XSSFilter</filter-name>
		<url-pattern>*.do</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>XSSFilter</filter-name>
		<url-pattern>*.jsp</url-pattern>
	</filter-mapping>

添加XSS过滤器，NewXssFilter.java

package com.xxx.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import com.picc.platform.common.utils.NewXssHttpServletRequestWrapper;

public class NewXssFilter implements Filter {  
    FilterConfig filterConfig = null;  
    public void destroy() {  
       this.filterConfig = null;  
   }  
  
  public void doFilter(ServletRequest request, ServletResponse response,  
           FilterChain chain) throws IOException, ServletException {  
	  NewXssHttpServletRequestWrapper NewXssrequest = new  NewXssHttpServletRequestWrapper((HttpServletRequest)request);
	 HttpServletResponse NewXssresponse = (HttpServletResponse)response;
	 chain.doFilter(NewXssrequest, NewXssresponse);
   }  
  
   public void init(FilterConfig filterConfig) throws ServletException {  
       this.filterConfig = filterConfig;  
   }
 
}

NewXssHttpServletRequestWrapper.java

package com.xxx.common.utils;

import java.util.Iterator;
import java.util.Map;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.lang3.StringEscapeUtils;

public class NewXssHttpServletRequestWrapper extends HttpServletRequestWrapper {

	
	HttpServletRequest orgRequest = null;

	public NewXssHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
		// TODO Auto-generated constructor stub
		orgRequest = request;
	}

	public String getParameter(String name) {
		String value = super.getParameter(xssEncode(name));
		if (value != null) {
			value = xssEncode(value);
		}
		return value;
	}

	public String getHeader(String name) {

		String value = super.getHeader(xssEncode(name));
		if (value != null) {
			value = xssEncode(value);
		}
		return value;
	}

	public Map<String, String[]> getParameterMap() {
		Map<String, String[]> paramMap = super.getParameterMap();
		Set<String> keySet = paramMap.keySet();
		for (Iterator iterator = keySet.iterator(); iterator.hasNext();) {
			String key = (String) iterator.next();
			String[] str = paramMap.get(key);
			for (int i = 0; i < str.length; i++) {
				str[i] = xssEncode(str[i]);
			}
		}
		return paramMap;
	}
	

	private static String xssEncode(String s) {

		if (s == null || s.isEmpty()) {
			return s;
		}
		return StringEscapeUtils.escapeHtml4(s);

	}
	
	/**
	 * 获取最原始的request
	 * 
	 * @return
	 */
	public HttpServletRequest getOrgRequest() {
		return orgRequest;
	}

	/**
	 * 获取最原始的request的静态方法
	 * 
	 * @return
	 */
	public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
		if (req instanceof NewXssHttpServletRequestWrapper) {
			return ((NewXssHttpServletRequestWrapper) req).getOrgRequest();
		}

		return req;
	}

}