过滤字符串filter_过滤字符串中的选定字符 filter-CSDN博客

本文介绍了一种安全检查机制，用于过滤输入字符串中的潜在危险字符，并通过自定义请求类实现参数安全化处理，旨在防止跨站脚本攻击。同时，文章详细阐述了安全过滤规则的实现方式以及如何在特定URL下进行过滤处理。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

public class SafeCheck { public static String getSafeStr(String plainText) { //String[] sourceArr = {"&", "<", ">", "/"", "'", ",", "//(", "//)", "//+", "//--", " and ", " or ", "//|", "../", "%27", "script", "iframe", "img", "drop", "delete", "update", "select", "alter", "alert"}; //String[] targetArr = {"&", "<", ">", """, "'", ",", "(", ")", "+", "--", "&", "|", "|", "../", "'", "tpircs", "emarfi", "gmi", "pord", "eteled", "etadpu", "tceles", "retla", "trela"}; String[] sourceArr = {"javascript:(.*)[///"///']", "(<mce:script type="text/javascript"></mce:script>)+", "//s*(img|iframe|src)+//s*", "alert"}; String[] targetArr = {"", "", "", ""}; if(plainText == null) return null; String param = plainText; for(int i = 0; i < sourceArr.length; i++) { param = replaceSpecialChar(param, sourceArr[i], targetArr[i]); } return param; } private static String replaceSpecialChar(String param, String regExp, String replacement) { String content = null; Pattern p = Pattern.compile(regExp, 2); Matcher m = p.matcher(param); boolean result = m.find(); if(result) { content = m.replaceAll(replacement); } else { content = param; } return content; } }

public class SafeParameterRequest extends HttpServletRequestWrapper { public SafeParameterRequest(HttpServletRequest request) { super(request); } @Override public String getParameter(String name) { return SafeCheck.getSafeStr(super.getParameter(name)); } @Override public Map getParameterMap() { Map<String, String[]> parameterMap = new LinkedHashMap<String, String[]>(); Enumeration<String> names = super.getParameterNames(); while (names.hasMoreElements()) { String name = names.nextElement(); parameterMap.put(name, getParameterValues(name)); } return parameterMap; } @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name).clone(); for (int i = 0; i < values.length; i++) { values[i] = SafeCheck.getSafeStr(values[i]); } return values; } }

public class SafeFilter implements Filter{ private String noSaftUrl[]; public void destroy() { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse resp = (HttpServletResponse)response; String urlSuffix = req.getServletPath(); //doNothing if(doNothingOrFiltrate(urlSuffix)) { chain.doFilter(req, resp); } //Filtrate else { HttpServletRequestWrapper wrap = new SafeParameterRequest(req); chain.doFilter(wrap, resp); } } public void init(FilterConfig arg0) throws ServletException { reFlushParameters(); } private void reFlushParameters(){ HashMap hm = ReadAppConfig.getNodeInfo("SafeCheck"); noSaftUrl = ((String)hm.get("NoSaftUrl")).split(","); } /** * * @param url * @return true: 不需要过滤，false：调用过滤方法 */ private boolean doNothingOrFiltrate(String url) { if (url == null || noSaftUrl == null ) { return false; } int len = noSaftUrl.length; int i=0; while(i<len){ if(url.startsWith(noSaftUrl[i++])){ return true; } } return false; } }