81,094
社区成员
发帖
与我相关
我的任务
分享
filter过滤请求中参数里含有脚本的部分
<!--web.xml 中配置 -->
<!-- 过滤请求中参数里含有脚本的部分 -->
<filter>
<filter-name>filtrateRequestParamterFilter</filter-name>
<filter-class>com.cssweb.common.web.filter.FiltrateRequestParamterFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>filtrateRequestParamterFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
代码:
package com.cssweb.common.web.filter;
import java.io.IOException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class FiltrateRequestParamterFilter implements Filter {
private static Pattern SCRIPT_PATTERN = Pattern.compile("<script.*>.*<\\/script\\s*>");
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
Map<String,String[]> paramMap=request.getParameterMap();
String[] paras=null;
int flag=0;
String lowStr=null;
Iterator it=paramMap.keySet().iterator();
while (it.hasNext())
{
String key=it.next().toString();
paras=paramMap.get(key);
if(paras!=null && paras.length>0) {
for(int i=0;i<paras.length;i++) {
paras[i]=paras[i].replaceAll("'","''");
// System.out.println("====================1>"+lowStr);
lowStr=paras[i].toLowerCase();
//script
Matcher m = SCRIPT_PATTERN.matcher(lowStr);
if(m.find()) {
flag=1;
}
if(flag == 1 || lowStr.contains("alert")) {
flag=1;
}
if(flag == 1 || lowStr.contains("javascript") || lowStr.contains("script") || lowStr.contains("expression")) {
flag=1;
}
//sql
if(flag == 1 || lowStr.contains("ascii(") || lowStr.contains("ascii (") || lowStr.contains("chr(") || lowStr.contains("chr (") || lowStr.contains("%0d") || lowStr.contains("%0a") || lowStr.contains("--") || lowStr.contains("*/")) {
flag=1;
}
//sql
if(flag == 1 || lowStr.contains("alter ") || lowStr.contains("create ") || lowStr.contains("truncate ") || lowStr.contains("drop ") || lowStr.contains("lock table") || lowStr.contains("insert ") || lowStr.contains("update ") || lowStr.contains("delete ") || lowStr.contains("select ") || lowStr.contains("grant ") || lowStr.contains("and ") || lowStr.contains("where ") || lowStr.contains("or ") || lowStr.contains("document.write ") || lowStr.contains("count ") || lowStr.contains("exec ") || lowStr.contains("union") || lowStr.contains("||") || lowStr.contains("' || '' || '")) {
flag=1;
}
//sql
//if(flag==1 || lowStr.contains(" where ") || lowStr.contains(" and ") || lowStr.contains(" or ")) {
if(flag==1 || lowStr.contains(" where ") || lowStr.contains(" or ")) {
flag=1;
}
if(flag==1){
HttpServletRequest httpServletRequest=(HttpServletRequest) request;
HttpServletResponse httpServletResponse=(HttpServletResponse) response;
httpServletRequest.getSession().setAttribute("url", httpServletRequest.getQueryString());
System.out.println(httpServletRequest.getSession().getId());
httpServletResponse.sendRedirect(httpServletRequest.getContextPath()+"/commons/bad.jsp");
return ;
}
}
}
}
chain.doFilter(request, response);
// System.out.println("====================2>"+lowStr);
}
public void init(FilterConfig arg0) throws ServletException {
}
}