public void doFilter(ServletRequest req0, ServletResponse res0,
FilterChain chain)
{
HttpServletResponse response = (HttpServletResponse) res0;
HttpServletRequest request = (HttpServletRequest) req0;
response.setHeader("P3P", "CP=CAO PSA OUR");
try
{
// ActionContext ctx =ServletActionContext.getActionContext(request);
Enumeration<String> paramNames = request.getParameterNames();
String specialCharactersStr = SystemConfig.interceptSpecial;
if (null != specialCharactersStr && specialCharactersStr.length() != 0)
{
while (paramNames.hasMoreElements())
{
String paramName = (String) paramNames.nextElement();
String value = request.getParameter(paramName);
if (matchRegPattern(paramName))
{
String errorMsg = "跨站漏洞检查:请求参数名【" + paramName + "】含有特殊字符【"
+ specialCharactersStr + "】中的一个或多个!";
// ctx.getValueStack().set("operMsg", errorMsg);
response.setContentType("text/html;charset=utf-8");
PrintWriter out = response.getWriter();
out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">");
out.println("<HTML>");
out.println(" <HEAD><TITLE>恶意攻击提醒</TITLE></HEAD>");
out.println(" <BODY>");
out.print(" ");
out.print(errorMsg);
out.println(", ");
out.println(" </BODY>");
out.println("</HTML>");
out.flush();
out.close();
}
if (matchRegPattern(value))
{
String errorMsg = "跨站漏洞检查:请求参数值【" + value + "】含有特殊字符【"
+ specialCharactersStr + "】中的一个或多个!";
response.setContentType("text/html;charset=utf-8");
PrintWriter out = response.getWriter();
out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">");
out.println("<HTML>");
out.println(" <HEAD><TITLE>恶意攻击提醒</TITLE></HEAD>");
out.println(" <BODY>");
out.print(" ");
out.print(errorMsg);
out.println(", ");
out.println(" </BODY>");
out.println("</HTML>");
out.flush();
out.close();
}
}
}
chain.doFilter(req0, res0);
}
catch (Exception e)
{
e.printStackTrace();
}
}
web.xml配置
<filter>
<filter-name>loginfilter</filter-name>
<filter-class>com.ipi.wlan.base.common.FiterHandle</filter-class>
</filter>
<filter-mapping>
<filter-name>loginfilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
过滤字符:<item name="interceptSpecial" value="{,},>,<,',;,alert(,alert(," comment="个性化字段过滤"/>
private static boolean matchRegPattern(String strTarget)
{
String[] specialCharactersArray = SystemConfig.interceptSpecial
.split(",");
if (null != strTarget)
{
for (int i = 0; i < specialCharactersArray.length; i++)
{
if (strTarget.indexOf(specialCharactersArray[i]) >= 0)// 该字符串存在特殊字符
{
return true;
}
}
}
return false;
}
web项目XSS漏洞处理
猜你喜欢
转载自thzop.iteye.com/blog/2257381
今日推荐
周排行