public void doFilter(ServletRequest req0, ServletResponse res0,
FilterChain chain)
{

HttpServletResponse response = (HttpServletResponse) res0;
HttpServletRequest request = (HttpServletRequest) req0;
response.setHeader("P3P", "CP=CAO PSA OUR");
try
{
       //  ActionContext ctx =ServletActionContext.getActionContext(request);
        Enumeration<String> paramNames = request.getParameterNames();
        String specialCharactersStr = SystemConfig.interceptSpecial;
     
        if (null != specialCharactersStr && specialCharactersStr.length() != 0)
        {
            while (paramNames.hasMoreElements())
            {
                String paramName = (String) paramNames.nextElement();
                String value = request.getParameter(paramName);
                if (matchRegPattern(paramName))
                {
                 
                    String errorMsg = "跨站漏洞检查：请求参数名【" + paramName + "】含有特殊字符【"
                        + specialCharactersStr + "】中的一个或多个！";
                   
                  //  ctx.getValueStack().set("operMsg", errorMsg);
                    response.setContentType("text/html;charset=utf-8");
            PrintWriter out = response.getWriter();
            out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">");
            out.println("<HTML>");
            out.println("  <HEAD><TITLE>恶意攻击提醒</TITLE></HEAD>");
            out.println("  <BODY>");
            out.print("     ");
            out.print(errorMsg);
            out.println(", ");
            out.println("  </BODY>");
            out.println("</HTML>");
            out.flush();
            out.close();

                }
                if (matchRegPattern(value))
                {
                    String errorMsg = "跨站漏洞检查：请求参数值【" + value + "】含有特殊字符【"
                        + specialCharactersStr + "】中的一个或多个！";
                    response.setContentType("text/html;charset=utf-8");
            PrintWriter out = response.getWriter();
            out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">");
            out.println("<HTML>");
            out.println("  <HEAD><TITLE>恶意攻击提醒</TITLE></HEAD>");
            out.println("  <BODY>");
            out.print("     ");
            out.print(errorMsg);
            out.println(", ");
            out.println("  </BODY>");
            out.println("</HTML>");
            out.flush();
            out.close();
                }
            }
        }
chain.doFilter(req0, res0);
}
catch (Exception e)
{
e.printStackTrace();
}
}


web.xml配置

<filter>
<filter-name>loginfilter</filter-name>
<filter-class>com.ipi.wlan.base.common.FiterHandle</filter-class>
</filter>
<filter-mapping>
<filter-name>loginfilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

过滤字符：<item name="interceptSpecial" value="{,},>,<,&apos;,;,alert(,alert（," comment="个性化字段过滤"/>


    private static boolean matchRegPattern(String strTarget)
    {
        String[] specialCharactersArray = SystemConfig.interceptSpecial
            .split(",");
        if (null != strTarget)
        {
            for (int i = 0; i < specialCharactersArray.length; i++)
            {
                if (strTarget.indexOf(specialCharactersArray[i]) >= 0)// 该字符串存在特殊字符
                {
                    return true;
                }
            }
        }
        return false;
    }