xss过滤器中getParameter和getParaterMap不生效问题;

扩展增加脚本攻击的拦截配置;
2019-03-22 18:40:19 +08:00 · 2019-03-22 18:40:19 +08:00 · 5a6c977584
parent 0cec24d90b
commit 5a6c977584
1 changed files with 87 additions and 0 deletions
--- a/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssHttpServletRequestWrapper.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssHttpServletRequestWrapper.java
@ -5,6 +5,10 @@ import javax.servlet.http.HttpServletRequestWrapper;
 import org.jsoup.Jsoup;
 import org.jsoup.safety.Whitelist;

+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+
 /**
 * XSS过滤处理
 * 
@ -32,9 +36,92 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
            {
                // 防xss攻击和过滤前后空格
                escapseValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim();
+                //zjj-自定义规则及js脚本注入过滤
+                escapseValues[i] = filterXSS(escapseValues[i]);
            }
            return escapseValues;
        }
        return super.getParameterValues(name);
    }
+
+    /**
+     *@描述  过滤getParameter中xss攻击
+     *@参数  [name]
+     *@返回值  java.lang.String[]
+     *@创建人  zhangjingjing
+     *@创建时间  2019/3/22
+     *@修改人和其它信息
+     */
+    public String getParameter(String parameter) {
+        String value = super.getParameter(parameter);
+        if (value == null) {
+            return null;
+        }
+        String result = Jsoup.clean(value, Whitelist.relaxed()).trim();
+        //zjj-自定义规则及js脚本注入过滤
+        result = filterXSS(result);
+        return result;
+
+    }
+    /**
+     *@描述  过滤getParameterMap中xss攻击
+     *@参数  [name]
+     *@返回值  java.lang.String[]
+     *@创建人  zhangjingjing
+     *@创建时间  2019/3/22
+     *@修改人和其它信息
+     */
+    public Map<String, String[]> getParameterMap() {
+        Map properties = super.getParameterMap();
+        Map returnMap = new HashMap();
+        Iterator entries = properties.entrySet().iterator();
+        Map.Entry entry;
+        String name;
+        while (entries.hasNext()) {
+            entry = (Map.Entry) entries.next();
+            name = (String) entry.getKey();
+            Object valueObj = entry.getValue();
+            if(null == valueObj){
+                returnMap.put(name, "");
+            }else if(valueObj instanceof String[]){
+                String[] values = (String[]) valueObj;
+                int length = values.length;
+                String[] escapseValues = new String[length];
+                for (int i = 0; i < length; i++)
+                {
+                    // 防xss攻击和过滤前后空格
+                    String pValue = values[i];
+                    //System.out.println("当前map-xss过滤前参数值:"+pValue);
+                    //zjj-jsoup过滤html标签
+                    escapseValues[i] = Jsoup.clean(pValue, Whitelist.relaxed()).trim();
+                    //zjj-自定义规则及js脚本注入过滤
+                    escapseValues[i] = filterXSS(escapseValues[i]);
+                    //System.out.println("当前map-xss过滤后参数值:"+escapseValues[i]);
+                }
+                returnMap.put(name, escapseValues);
+            }else{
+                String value = valueObj.toString();
+                if (value == null) {
+                    return null;
+                }
+                String result = Jsoup.clean(value, Whitelist.relaxed()).trim();
+                //zjj-自定义规则及js脚本注入过滤
+                result = filterXSS(result);
+                returnMap.put(name, result);
+            }
+        }
+        return returnMap;
+    }
+
+
+    private String filterXSS(String value) {
+        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
+        value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
+        value = value.replaceAll("'", "& #39;");
+        value = value.replaceAll("eval\\((.*)\\)", "");
+        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
+        value = value.replaceAll("script", "");
+        return value;
+    }
+
 }