1、重新对request进行包装,需要继承HttpServletRequestWrapper
package com.topcheer.common;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang.StringUtils;
public class ParameterRequestWrapper extends HttpServletRequestWrapper {
public ParameterRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
//Constants.MY_LOG.debug("getParameter----->转义处理");
//return clearXss(super.getParameter(name));// 保留勿删
String parameter = null;
parameter = xssEncode(super.getParameter(name));
//过滤sql注入
parameter = filterContent(parameter);
return parameter;
}
@Override
public String getHeader(String name) {
//Constants.MY_LOG.debug("getHeader----->转义处理");
//return clearXss(super.getHeader(name)); // 保留勿删
return xssEncode(super.getParameter(name));
}
@Override
public String[] getParameterValues(String name) {
//Constants.MY_LOG.debug("getParameterValues----->转义处理");
if(!StringUtils.isEmpty(name)){
String[] values = super.getParameterValues(name);
if(values != null && values.length > 0){
String[] newValues = new String[values.length];
for(int i =0; i< values.length; i++){
//newValues[i] = clearXss(values[i]);// 保留勿删
newValues[i] = xssEncode(values[i]);
//过滤sql注入
newValues[i] = filterContent(newValues[i]);
}
return newValues;
}
}
return null;
}
/**
*
* 处理字符转义【勿删,请保留该注释代码】
* @param value
* @return
private String clearXss(String value){
if (value == null || "".equals(value)) {
return value;
}
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replace("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replace("script", "");
return value;
}*/
/**
* 将特殊字符替换为全角
* @param s
* @return
*/
private String xssEncode(String s) {
if (s == null || s.isEmpty()) {
return s;
}
StringBuilder sb = new StringBuilder();
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '>':
sb.append('>');// 全角大于号
break;
case '<':
sb.append('<');// 全角小于号
break;
case '\'':
sb.append('‘');// 全角单引号
break;
case '\"':
sb.append('“');// 全角双引号
break;
case '&':
sb.append('&');// 全角&
break;
// case '\\':
// sb.append('\');// 全角斜线
// break;
// case '/':
// sb.append('/');// 全角斜线
// break;
case '#':
sb.append('#');// 全角井号
break;
case '(':
sb.append('(');// 全角(号
break;
case ')':
sb.append(')');// 全角)号
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
/**
* 防止sql注入,将or
* @param s
* @return
*/
private String filterContent(String content){
if (content == null || content.isEmpty()) {
return content;
}
// String flt ="'|and|exec|insert|select|delete|update|count|%|\"|chr|mid|master|truncate|<|>|&|char|declare|or";
// String flt ="':and:exec:insert:select:delete:update:count:%:chr:mid:master:truncate:char:declare:;:or:,";
String flt ="':%:chr:mid:master:truncate:char:declare:;:,: ";
String filter[] = flt.split(":");
if(!StringUtils.isNotBlank(content)){
content = "";
}
for(int i=0; i<filter.length;i++ ){
// System.out.print(filter[i]+",");
content=content.replaceAll(filter[i], "");
}
return content;
}
}
2、在过滤器中将request转成对request封装的包装类进行过滤
package com.topcheer.common;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class EncodingFilter implements Filter {
// Instance Variables
/**
* The default character encoding to set for requests that pass through this
* filter.
*/
protected String encoding = null;
/**
* The filter configuration object we are associated with. If this value is
* null, this filter instance is not currently configured.
*/
protected FilterConfig filterConfig = null;
/**
* Should a character encoding specified by the client be ignored?
*/
protected boolean ignore = true;
// Public Methods
/**
* Take this filter out of service.
*/
public void destroy() {
this.encoding = null;
this.filterConfig = null;
}
/**
* Select and set (if specified) the character encoding to be used to
* interpret request parameters for this request.
*
* @param request
* The servlet request we are processing
* @param result
* The servlet response we are creating
* @param chain
* The filter chain we are processing
*
* @exception IOException
* if an input/output error occurs
* @exception ServletException
* if a servlet error occurs
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
ParameterRequestWrapper parameterRequestWrapper = new ParameterRequestWrapper((HttpServletRequest) request);
// Conditionally select and set the character encoding to be used
if (ignore || (request.getCharacterEncoding() == null)) {
String encoding = selectEncoding(request);
if (encoding != null) {
request.setCharacterEncoding(encoding);
}
}
/**
* liuc
*/
if (req.getHeader("X-Requested-With") != null && req.getHeader("X-Requested-With").equalsIgnoreCase("XMLHttpRequest")) {
request.setCharacterEncoding("utf-8");
} else {
request.setCharacterEncoding("gbk");
}
/*
* 过滤请求中所有参数,<> ' " exception script & or
*/
chain.doFilter(parameterRequestWrapper, response);
}
/**
* Place this filter into service.
*
* @param filterConfig
* The filter configuration object
*/
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
this.encoding = filterConfig.getInitParameter("encoding");
String value = filterConfig.getInitParameter("ignore");
if (value == null) {
this.ignore = true;
} else if (value.equalsIgnoreCase("true")) {
this.ignore = true;
} else if (value.equalsIgnoreCase("yes")) {
this.ignore = true;
} else {
this.ignore = false;
}
}
// Protected Methods
/**
* Select an appropriate character encoding to be used, based on the
* characteristics of the current request and/or filter initialization
* parameters. If no character encoding should be set, return
* <code>null</code>.
* <p>
* The default implementation unconditionally returns the value configured
* by the <strong>encoding</strong> initialization parameter for this
* filter.
*
* @param request
* The servlet request we are processing
*/
protected String selectEncoding(ServletRequest request) {
return (this.encoding);
}
}