添加防止跨站攻击的xssfilter

src/main/java/com/stylefeng/guns/core/util/xss/XssFilter.java

+package com.stylefeng.guns.core.util.xss;
+
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+
+public class XssFilter implements Filter {
+
+    FilterConfig filterConfig = null;
+
+
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+        this.filterConfig = filterConfig;
+
+    }
+
+
+    public void destroy() {
+
+        this.filterConfig = null;
+
+    }
+
+
+    public void doFilter(ServletRequest request, ServletResponse response,
+
+                         FilterChain chain) throws IOException, ServletException {
+
+        chain.doFilter(new XssHttpServletRequestWrapper(
+
+                (HttpServletRequest) request), response);
+
+    }
+
+}
\ No newline at end of file

src/main/java/com/stylefeng/guns/core/util/xss/XssHttpServletRequestWrapper.java

+package com.stylefeng.guns.core.util.xss;
+
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+
+public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
+
+    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
+
+        super(servletRequest);
+
+    }
+
+    public String[] getParameterValues(String parameter) {
+
+        String[] values = super.getParameterValues(parameter);
+
+        if (values == null) {
+
+            return null;
+
+        }
+
+        int count = values.length;
+
+        String[] encodedValues = new String[count];
+
+        for (int i = 0; i < count; i++) {
+
+            encodedValues[i] = cleanXSS(values[i]);
+
+        }
+
+        return encodedValues;
+
+    }
+
+    public String getParameter(String parameter) {
+
+        String value = super.getParameter(parameter);
+
+        if (value == null) {
+
+            return null;
+
+        }
+
+        return cleanXSS(value);
+
+    }
+
+    public String getHeader(String name) {
+
+        String value = super.getHeader(name);
+
+        if (value == null)
+
+            return null;
+
+        return cleanXSS(value);
+
+    }
+
+    private String cleanXSS(String value) {
+
+        //You'll need to remove the spaces from the html entities below
+
+        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
+
+        value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
+
+        value = value.replaceAll("'", "& #39;");
+
+        value = value.replaceAll("eval\\((.*)\\)", "");
+
+        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
+
+        value = value.replaceAll("script", "");
+
+        return value;
+
+    }
+
+
+}
\ No newline at end of file

src/main/java/project/config/web/WebAppInitializer.java

@@ -2,6 +2,7 @@ package project.config.web;
 
 
 import com.alibaba.druid.support.http.StatViewServlet;
 import com.alibaba.druid.support.http.StatViewServlet;
 import com.stylefeng.guns.core.listener.ConfigListener;
 import com.stylefeng.guns.core.listener.ConfigListener;
+import com.stylefeng.guns.core.util.xss.XssFilter;
 import project.config.root.RootSpringConfig;
 import project.config.root.RootSpringConfig;
 import org.springframework.web.context.request.RequestContextListener;
 import org.springframework.web.context.request.RequestContextListener;
 import org.springframework.web.filter.CharacterEncodingFilter;
 import org.springframework.web.filter.CharacterEncodingFilter;
@@ -10,6 +11,7 @@ import org.springframework.web.servlet.support.AbstractAnnotationConfigDispatche
 
 
 import javax.servlet.*;
 import javax.servlet.*;
 import javax.servlet.ServletRegistration.Dynamic;
 import javax.servlet.ServletRegistration.Dynamic;
+import java.util.EnumSet;
 
 
 /**
 /**
  * tomcat启动初始化整个应用的类（代替了web.xml）
  * tomcat启动初始化整个应用的类（代替了web.xml）
@@ -69,6 +71,11 @@ public class WebAppInitializer extends AbstractAnnotationConfigDispatcherServlet
         servletContext.addListener(RequestContextListener.class);
         servletContext.addListener(RequestContextListener.class);
         servletContext.addListener(ConfigListener.class);
         servletContext.addListener(ConfigListener.class);
 
 
+        //防止xss攻击的filter
+        FilterRegistration.Dynamic xssFilter = servletContext.addFilter("xssSqlFilter",
+                new XssFilter());
+        xssFilter.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), false, "/*");
+
         super.onStartup(servletContext);
         super.onStartup(servletContext);
     }
     }