XSS漏洞解决方案之一：过滤器

一：web.xml文件

<!-- 解决xss漏洞 -->
  <filter>
    <filter-name>xssFilter</filter-name>
     <filter-class>com.baidu.rigel.sandbox.core.filter.XSSFilter</filter-class>
  </filter>

  <!-- 解决xss漏洞 -->
  <filter-mapping>
    <filter-name>xssFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

二：过滤器:XSSFilter.java

package com.rigel.sandbox.core.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import com.rigel.sandbox.core.util.XssHttpServletRequestWrapper;

public class XSSFilter implements Filter {

  @Override
  public void init(FilterConfig filterConfig) throws ServletException {
  }

  @Override
  public void doFilter(ServletRequest request, ServletResponse response,
      FilterChain chain) throws IOException, ServletException {

    XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
        (HttpServletRequest) request);
    chain.doFilter(xssRequest, response);
  }

  @Override
  public void destroy() {
  }

}

三：包装器：XssHttpServletRequestWrapper.java

package com.rigel.sandbox.core.util;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
  HttpServletRequest orgRequest = null;

  public XssHttpServletRequestWrapper(HttpServletRequest request) {
    super(request);
    orgRequest = request;
  }

  /**
   * 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/>
   * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>
   * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
   */
  @Override
  public String getParameter(String name) {
    String value = super.getParameter(xssEncode(name));
    if (value != null) {
      value = xssEncode(value);
    }
    return value;
  }

  /**
   * 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>
   * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/>
   * getHeaderNames 也可能需要覆盖
   */
  @Override
  public String getHeader(String name) {

    String value = super.getHeader(xssEncode(name));
    if (value != null) {
      value = xssEncode(value);
    }
    return value;
  }

  /**
   * 将容易引起xss漏洞的半角字符直接替换成全角字符
   * 
   * @param s
   * @return
   */
  private static String xssEncode(String s) {
    if (s == null || s.isEmpty()) {
      return s;
    }
    StringBuilder sb = new StringBuilder(s.length() + 16);
    for (int i = 0; i < s.length(); i++) {
      char c = s.charAt(i);
      switch (c) {
      case '>':
        sb.append(">");// 转义大于号
        break;
      case '<':
        sb.append("<");// 转义小于号
        break;
      case '\'':
        sb.append("'");// 转义单引号
        break;
      case '\"':
        sb.append(""");// 转义双引号
        break;
      case '&':
        sb.append("&");// 转义&
        break;
      default:
        sb.append(c);
        break;
      }
    }
    return sb.toString();
  }

  /**
   * 获取最原始的request
   * 
   * @return
   */
  public HttpServletRequest getOrgRequest() {
    return orgRequest;
  }

  /**
   * 获取最原始的request的静态方法
   * 
   * @return
   */
  public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
    if (req instanceof XssHttpServletRequestWrapper) {
      return ((XssHttpServletRequestWrapper) req).getOrgRequest();
    }

    return req;
  }
}