`
m635674608
  • 浏览: 4929354 次
  • 性别: Icon_minigender_1
  • 来自: 南京
社区版块
存档分类
最新评论

servlet request.setParameters 方法 自创 修改

    博客分类:
  • java
 
阅读更多 
 /**
    * 设置Parameters 的值
    * @param key
    * @param val
    */
    public void setParameters(String key,String val){
    	Map m = getRequest().getParameterMap();
		//java.lang.reflect.Field lockedField;
		try {
			//lockedField = m.getClass().getDeclaredField("locked");
			//lockedField.setAccessible(true);
			//System.out.println(lockedField.get(m));
			//lockedField.set(m, false);
			//System.out.println(lockedField.get(m));
			m.put(key, val);
		} catch (Exception e) {
			log.error(e.getMessage(), e);
		}
	
    }

 

 

package com.dep.aop;

import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * 拦截防止sql注入 
 * @author wb_zypt
 *
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
	HttpServletRequest orgRequest = null;
	Map newParams = null;
	private static Logger log = LoggerFactory.getLogger(XssHttpServletRequestWrapper.class);
	public XssHttpServletRequestWrapper(HttpServletRequest request) {
		super(request);
		orgRequest = request;
	}

	/**
	* 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
	* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
	* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
	*/
	@Override
	public String getParameter(String name) {
		String value = super.getParameter(xssEncode(name));
		if (value != null) {
			value = xssEncode(value);
		}
		if(value == null){
			value = (String)getParameterMap().get(name);
		}
		return value;
	}
	
	
	@Override
	@SuppressWarnings("unchecked")
	public Map getParameterMap() {
		if(newParams !=null){
			return newParams;
		}else{
			newParams = new HashMap();
		}
	//	Map newParams  = new HashMap();
		Map params = super.getParameterMap();
		
		Set<String> keySet = params.keySet();
        for (Iterator iterator = keySet.iterator(); iterator.hasNext();) {
	            String key = (String) iterator.next();
	             Object obj =  params.get(key);
	            if(obj instanceof String){
	            	 String str = (String) params.get(key);
	            	 newParams.put(key, xssEncode((String)str));
	            }else if(obj.getClass() == String[].class){
	            	 String[] str = (String[]) params.get(key);
	            	 newParams.put(key, xssEncode((String[])str));
	            }else{
	            	 newParams.put(key, obj);
	            }
	           
	           
	             }
		/*java.lang.reflect.Field lockedField = null;
		try {
			lockedField = params.getClass().getDeclaredField("locked");
			lockedField.setAccessible(true);
			lockedField.set(params, false);
		} catch (Exception e) {
			log.error(e.getMessage(), e);
		}
		Set<String> keySet = params.keySet();
        for (Iterator iterator = keySet.iterator(); iterator.hasNext();) {
	            String key = (String) iterator.next();
	             Object obj =  params.get(key);
	            if(obj instanceof String){
	            	 String str = (String) params.get(key);
	            	 params.put(key, xssEncode((String)str));
	            }else{
	            	 String[] str = (String[]) params.get(key);
	            	 params.put(key, xssEncode((String[])str));
	            }
	           
	           
	             }
        if(lockedField!=null){
        	try {
				lockedField.set(params, true);
			} catch (Exception e) {
				log.error(e.getMessage(), e);
			}
        }*/
		return newParams;
	}

	public String[] getParameterValues(String parameter) {
	      String[] values = super.getParameterValues(parameter);
	      if (values==null)  {
	                  return null;
	          }
	      int count = values.length;
	      String[] encodedValues = new String[count];
	      for (int i = 0; i < count; i++) {
	                 encodedValues[i] = xssEncode(values[i]);
	       }
	      return encodedValues;
	    }
	
	/**
	* 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
	* 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
	* getHeaderNames 也可能需要覆盖
	*/
	@Override
	public String getHeader(String name) {
		
		String value = super.getHeader(xssEncode(name));
		if (value != null) {
			value = xssEncode(value);
		}
		return value;
	}
	private static String[] xssEncode(String[] s) {
		String[] newStr = new String[s.length];
		for(int i=0;i<s.length;i++){
			newStr[i]= xssEncode(s[i]);
		}
		return newStr;
	}
	/**
	* 将容易引起xss漏洞的半角字符直接替换成全角字符
	*
	* @param s
	* @return
	*/
	private static String xssEncode(String s) {
		if (s == null || "".equals(s)) {
			return s;
		}
		StringBuilder sb = new StringBuilder(s.length() + 16);
		for (int i = 0; i < s.length(); i++) {
			char c = s.charAt(i);
			switch (c) {
			case '>':
				sb.append('>');//全角大于号
				break;
			case '<':
				sb.append('<');//全角小于号
				break;
			case '\'':
				sb.append('‘');//全角单引号
				break;
			case '\"':
				sb.append('“');//全角双引号
				break;
			case '&':
				sb.append('&');//全角
				break;
			case '\\':
				sb.append('\');//全角斜线
				break;
			case '#':
				sb.append('#');//全角井号
				break;
			case '-':
				sb.append('-');//全角井号
				break;
			case ';':
				sb.append(';');//全角井号
				break;
			default:
				sb.append(c);
				break;
			}
		}
		return sb.toString();
	}

	/**
	* 获取最原始的request
	*
	* @return
	*/
	public HttpServletRequest getOrgRequest() {
		return orgRequest;
	}

	/**
	* 获取最原始的request的静态方法
	*
	* @return
	*/
	public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
		if (req instanceof XssHttpServletRequestWrapper) {
			return ((XssHttpServletRequestWrapper) req).getOrgRequest();
		}

		return req;
	}

}

 

 

分享到:
| button type,input name 修改
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics