使用Spring Filter過濾表單中的非法字符
1 package test.filter; 2 3 import java.io.IOException; 4 import java.util.Iterator; 5 import java.util.Map; 6 7 import javax.servlet.FilterChain; 8 import javax.servlet.ServletException; 9 import javax.servlet.http.HttpServletRequest; 10 import javax.servlet.http.HttpServletRequestWrapper; 11 import javax.servlet.http.HttpServletResponse; 12 13 import org.springframework.beans.BeanWrapper; 14 import org.springframework.beans.BeansException; 15 import org.springframework.web.filter.OncePerRequestFilter; 16 import org.springframework.web.multipart.MultipartHttpServletRequest; 17 import org.springframework.web.multipart.commons.CommonsMultipartResolver; 18 19 /** 20 * 使用Spring過濾器來過濾請求中的非法字符<br> 21 * 如果請求被重定向,則在被重定向的控制器方法執行前此過濾器也會執行 22 * @author admin 23 * 24 */ 25 public class CharacterFilter extends OncePerRequestFilter { 26 27 // 如果使用CommonsMultipartResolver處理文件上傳,並且表單類型為multipart/form-data 28 // 則此處需使用CommonsMultipartResolver,其參數設置應與配置文件中保持一致 29 private CommonsMultipartResolver multipartResolver = null; 30 31 /** 32 * 過濾器加載時,initBeanWrapper(BeanWrapper)方法會在initFilterBean()方法之前加載<br> 33 * 可以通過super.getFilterConfig().getInitParameter("param1")方法獲取在web.xml中配置的init-param參數 34 */ 35 @Override 36 protected void initBeanWrapper(BeanWrapper bw) throws BeansException { 37 String param1 = super.getFilterConfig().getInitParameter("param1"); 38 System.out.println("param1:" + param1); 39 40 super.initBeanWrapper(bw); 41 } 42 43 @Override 44 protected void initFilterBean() throws ServletException { 45 multipartResolver = new CommonsMultipartResolver(); 46 multipartResolver.setMaxInMemorySize(104857600); 47 multipartResolver.setDefaultEncoding("utf-8"); 48 49 super.initFilterBean(); 50 } 51 52 @Override 53 protected void doFilterInternal(HttpServletRequest request, 54 HttpServletResponse response, FilterChain filterChain) 55 throws ServletException, IOException { 56 //此處可通過配置參數判斷是否需要過濾 ... 57 58 HttpServletRequest httpRequest = (HttpServletRequest)request; 59 // 此處使用httpRequest,直接使用request可能造成CharacterFilterRequestWrapper中request獲取不到值 60 if(httpRequest.getContentType().toLowerCase().contains("multipart/form-data")){ 61 MultipartHttpServletRequest resolveMultipart = multipartResolver.resolveMultipart(httpRequest); 62 filterChain.doFilter(new CharacterFilterRequestWrapper(resolveMultipart), response); 63 }else{ 64 filterChain.doFilter(new CharacterFilterRequestWrapper(httpRequest), response); 65 } 66 67 } 68 69 class CharacterFilterRequestWrapper extends HttpServletRequestWrapper { 70 71 public CharacterFilterRequestWrapper(HttpServletRequest request) { 72 super(request); 73 } 74 75 @Override 76 public String getParameter(String name) { 77 return super.getParameter(name); 78 } 79 80 @Override 81 public String[] getParameterValues(String name) { 82 return filterString(super.getParameterValues(name)); 83 } 84 85 @Override 86 public Map<String, String[]> getParameterMap() { 87 Map<String, String[]> map = super.getParameterMap(); 88 if(map == null){ 89 return null; 90 } 91 92 Iterator<String> it = map.keySet().iterator(); 93 while(it.hasNext()){ 94 String param = it.next(); 95 String[] value = map.get(param); 96 map.put(param, filterString(value)); 97 } 98 99 return map; 100 } 101 102 private String filterString(String value){ 103 if(value == null){ 104 return null; 105 } 106 107 // 此處可根據需要選擇需要過濾的字符 108 value = value.replaceAll("\r\n", ""); 109 value = value.replaceAll("\t", " "); 110 value = value.replaceAll(">", ">"); 111 value = value.replaceAll("<", "<"); 112 value = value.replaceAll("\"", """); 113 114 return value; 115 } 116 117 private String[] filterString(String[] values){ 118 if(values == null){ 119 return null; 120 } 121 122 for (int i = 0; i < values.length; i++) { 123 values[i] = filterString(values[i]); 124 } 125 126 return values; 127 } 128 129 } 130 131 }