懒羊羊
2024-01-31 e57a8990ae56f657a59c435a0613c5f7a8728003
提交 | 用户 | 时间
e57a89 1 package com.jcdm.common.filter;
2
3 import java.io.ByteArrayInputStream;
4 import java.io.IOException;
5 import javax.servlet.ReadListener;
6 import javax.servlet.ServletInputStream;
7 import javax.servlet.http.HttpServletRequest;
8 import javax.servlet.http.HttpServletRequestWrapper;
9 import org.apache.commons.io.IOUtils;
10 import org.springframework.http.HttpHeaders;
11 import org.springframework.http.MediaType;
12 import com.jcdm.common.utils.StringUtils;
13 import com.jcdm.common.utils.html.EscapeUtil;
14
15 /**
16  * XSS过滤处理
17  * 
18  * @author jc
19  */
20 public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
21 {
22     /**
23      * @param request
24      */
25     public XssHttpServletRequestWrapper(HttpServletRequest request)
26     {
27         super(request);
28     }
29
30     @Override
31     public String[] getParameterValues(String name)
32     {
33         String[] values = super.getParameterValues(name);
34         if (values != null)
35         {
36             int length = values.length;
37             String[] escapesValues = new String[length];
38             for (int i = 0; i < length; i++)
39             {
40                 // 防xss攻击和过滤前后空格
41                 escapesValues[i] = EscapeUtil.clean(values[i]).trim();
42             }
43             return escapesValues;
44         }
45         return super.getParameterValues(name);
46     }
47
48     @Override
49     public ServletInputStream getInputStream() throws IOException
50     {
51         // 非json类型,直接返回
52         if (!isJsonRequest())
53         {
54             return super.getInputStream();
55         }
56
57         // 为空,直接返回
58         String json = IOUtils.toString(super.getInputStream(), "utf-8");
59         if (StringUtils.isEmpty(json))
60         {
61             return super.getInputStream();
62         }
63
64         // xss过滤
65         json = EscapeUtil.clean(json).trim();
66         byte[] jsonBytes = json.getBytes("utf-8");
67         final ByteArrayInputStream bis = new ByteArrayInputStream(jsonBytes);
68         return new ServletInputStream()
69         {
70             @Override
71             public boolean isFinished()
72             {
73                 return true;
74             }
75
76             @Override
77             public boolean isReady()
78             {
79                 return true;
80             }
81
82             @Override
83             public int available() throws IOException
84             {
85                 return jsonBytes.length;
86             }
87
88             @Override
89             public void setReadListener(ReadListener readListener)
90             {
91             }
92
93             @Override
94             public int read() throws IOException
95             {
96                 return bis.read();
97             }
98         };
99     }
100
101     /**
102      * 是否是Json请求
103      * 
104      * @param request
105      */
106     public boolean isJsonRequest()
107     {
108         String header = super.getHeader(HttpHeaders.CONTENT_TYPE);
109         return StringUtils.startsWithIgnoreCase(header, MediaType.APPLICATION_JSON_VALUE);
110     }
111 }