| 提交 | 用户 | 时间 | ||
| e57a89 | 1 | package com.jcdm.common.filter; |
| 懒 | 2 | |
| 3 | import java.io.ByteArrayInputStream; | |
| 4 | import java.io.IOException; | |
| 5 | import javax.servlet.ReadListener; | |
| 6 | import javax.servlet.ServletInputStream; | |
| 7 | import javax.servlet.http.HttpServletRequest; | |
| 8 | import javax.servlet.http.HttpServletRequestWrapper; | |
| 9 | import org.apache.commons.io.IOUtils; | |
| 10 | import org.springframework.http.HttpHeaders; | |
| 11 | import org.springframework.http.MediaType; | |
| 12 | import com.jcdm.common.utils.StringUtils; | |
| 13 | import com.jcdm.common.utils.html.EscapeUtil; | |
| 14 | ||
| 15 | /** | |
| 16 | * XSS过滤处理 | |
| 17 | * | |
| 18 | * @author jc | |
| 19 | */ | |
| 20 | public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper | |
| 21 | { | |
| 22 | /** | |
| 23 | * @param request | |
| 24 | */ | |
| 25 | public XssHttpServletRequestWrapper(HttpServletRequest request) | |
| 26 | { | |
| 27 | super(request); | |
| 28 | } | |
| 29 | ||
| 30 | @Override | |
| 31 | public String[] getParameterValues(String name) | |
| 32 | { | |
| 33 | String[] values = super.getParameterValues(name); | |
| 34 | if (values != null) | |
| 35 | { | |
| 36 | int length = values.length; | |
| 37 | String[] escapesValues = new String[length]; | |
| 38 | for (int i = 0; i < length; i++) | |
| 39 | { | |
| 40 | // 防xss攻击和过滤前后空格 | |
| 41 | escapesValues[i] = EscapeUtil.clean(values[i]).trim(); | |
| 42 | } | |
| 43 | return escapesValues; | |
| 44 | } | |
| 45 | return super.getParameterValues(name); | |
| 46 | } | |
| 47 | ||
| 48 | @Override | |
| 49 | public ServletInputStream getInputStream() throws IOException | |
| 50 | { | |
| 51 | // 非json类型,直接返回 | |
| 52 | if (!isJsonRequest()) | |
| 53 | { | |
| 54 | return super.getInputStream(); | |
| 55 | } | |
| 56 | ||
| 57 | // 为空,直接返回 | |
| 58 | String json = IOUtils.toString(super.getInputStream(), "utf-8"); | |
| 59 | if (StringUtils.isEmpty(json)) | |
| 60 | { | |
| 61 | return super.getInputStream(); | |
| 62 | } | |
| 63 | ||
| 64 | // xss过滤 | |
| 65 | json = EscapeUtil.clean(json).trim(); | |
| 66 | byte[] jsonBytes = json.getBytes("utf-8"); | |
| 67 | final ByteArrayInputStream bis = new ByteArrayInputStream(jsonBytes); | |
| 68 | return new ServletInputStream() | |
| 69 | { | |
| 70 | @Override | |
| 71 | public boolean isFinished() | |
| 72 | { | |
| 73 | return true; | |
| 74 | } | |
| 75 | ||
| 76 | @Override | |
| 77 | public boolean isReady() | |
| 78 | { | |
| 79 | return true; | |
| 80 | } | |
| 81 | ||
| 82 | @Override | |
| 83 | public int available() throws IOException | |
| 84 | { | |
| 85 | return jsonBytes.length; | |
| 86 | } | |
| 87 | ||
| 88 | @Override | |
| 89 | public void setReadListener(ReadListener readListener) | |
| 90 | { | |
| 91 | } | |
| 92 | ||
| 93 | @Override | |
| 94 | public int read() throws IOException | |
| 95 | { | |
| 96 | return bis.read(); | |
| 97 | } | |
| 98 | }; | |
| 99 | } | |
| 100 | ||
| 101 | /** | |
| 102 | * 是否是Json请求 | |
| 103 | * | |
| 104 | * @param request | |
| 105 | */ | |
| 106 | public boolean isJsonRequest() | |
| 107 | { | |
| 108 | String header = super.getHeader(HttpHeaders.CONTENT_TYPE); | |
| 109 | return StringUtils.startsWithIgnoreCase(header, MediaType.APPLICATION_JSON_VALUE); | |
| 110 | } | |
| 111 | } | |
