|
<!-- 配置Java Xss保护过滤器 --> <filter> <filter-name>xssFilter</filter-name> <filter-class>com.vprisk.vpframe.xss.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> /*******************class*************************/ <?xml version="1.0" encoding="UTF-8"?> <filter> <exceptional> <url>workflow/procdef/save</url> <url>sys/menu/save</url> <url>sys/param/save</url> <url>meta/</url> <url>node_tree.jsp</url> </exceptional> </filter> /*** Eclipse Class Decompiler plugin, copyright (c) 2016 Chen Chao (cnfree2000@hotmail.com) ***/ package com.vprisk.vpframe.xss; import com.vprisk.vpframe.xss.XssHttpServletRequestWrapper; import java.io.IOException; import java.io.InputStream; import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Set; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang3.StringUtils; import org.dom4j.Document; import org.dom4j.Element; import org.dom4j.io.SAXReader; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class XssFilter implements Filter { private static final Set<String> EXCEPTIONALS = new HashSet(); protected static final Logger logger = LoggerFactory .getLogger(XssFilter.class); private static final Set<String> FORBIDDEN_TAGS = new HashSet(); private static final Set<String> FORBIDDEN_ATTRS = new HashSet(); static { FORBIDDEN_TAGS.add("script"); FORBIDDEN_TAGS.add("embed"); FORBIDDEN_TAGS.add("object"); FORBIDDEN_TAGS.add("layer"); FORBIDDEN_TAGS.add("style"); FORBIDDEN_TAGS.add("meta"); FORBIDDEN_TAGS.add("iframe"); FORBIDDEN_TAGS.add("frame"); FORBIDDEN_TAGS.add("link"); FORBIDDEN_TAGS.add("import"); FORBIDDEN_TAGS.add("xml"); FORBIDDEN_TAGS.add("<r:"); FORBIDDEN_TAGS.add("<h:"); FORBIDDEN_TAGS.add("<w:"); FORBIDDEN_TAGS.add("<rmp:"); FORBIDDEN_ATTRS.add("javascript:"); FORBIDDEN_ATTRS.add("mocha:"); FORBIDDEN_ATTRS.add("eval"); FORBIDDEN_ATTRS.add("vbscript:"); FORBIDDEN_ATTRS.add("livescript:"); FORBIDDEN_ATTRS.add("expression("); FORBIDDEN_ATTRS.add("url("); FORBIDDEN_ATTRS.add("&{"); FORBIDDEN_ATTRS.add("&#"); EXCEPTIONALS.add("workflow/model/metadata/save"); SAXReader saxReader = new SAXReader(); InputStream inputStream = null; try { inputStream = XssFilter.class.getClassLoader().getResourceAsStream( "/filter.xml"); Document e = saxReader.read(inputStream); List urls = e.selectNodes("filter/exceptional/url"); Iterator url = urls.iterator(); while (url.hasNext()) { Element urlElement = (Element) url.next(); EXCEPTIONALS.add(urlElement.getTextTrim()); } } catch (Throwable arg13) { logger.error(arg13.getMessage()); } finally { if (inputStream != null) { try { inputStream.close(); } catch (IOException arg12) { arg12.printStackTrace(); } } } } public void init(FilterConfig filterConfig) throws ServletException { logger.debug("XssFilter init"); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; if (this.hasExceptional(req.getRequestURI())) { filterChain.doFilter(request, response); } else { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper( (HttpServletRequest) request); filterChain.doFilter(xssRequest, response); } } public void destroy() { } private boolean hasExceptional(String requestUri) { Iterator urlIt = EXCEPTIONALS.iterator(); do { if (!urlIt.hasNext()) { return false; } } while (!StringUtils.isNoneEmpty(new CharSequence[] { requestUri }) || !requestUri.contains((CharSequence) urlIt.next())); return true; } } |
|
|
来自: 柳7it48xq2tc7q > 《日常总结》
