/** * 设置Parameters 的值 * @param key * @param val */ public void setParameters(String key,String val){ Map m = getRequest().getParameterMap(); //java.lang.reflect.Field lockedField; try { //lockedField = m.getClass().getDeclaredField("locked"); //lockedField.setAccessible(true); //System.out.println(lockedField.get(m)); //lockedField.set(m, false); //System.out.println(lockedField.get(m)); m.put(key, val); } catch (Exception e) { log.error(e.getMessage(), e); } }
package com.dep.aop; import java.util.HashMap; import java.util.Iterator; import java.util.Map; import java.util.Set; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** * 拦截防止sql注入 * @author wb_zypt * */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; Map newParams = null; private static Logger log = LoggerFactory.getLogger(XssHttpServletRequestWrapper.class); public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); orgRequest = request; } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } if(value == null){ value = (String)getParameterMap().get(name); } return value; } @Override @SuppressWarnings("unchecked") public Map getParameterMap() { if(newParams !=null){ return newParams; }else{ newParams = new HashMap(); } // Map newParams = new HashMap(); Map params = super.getParameterMap(); Set<String> keySet = params.keySet(); for (Iterator iterator = keySet.iterator(); iterator.hasNext();) { String key = (String) iterator.next(); Object obj = params.get(key); if(obj instanceof String){ String str = (String) params.get(key); newParams.put(key, xssEncode((String)str)); }else if(obj.getClass() == String[].class){ String[] str = (String[]) params.get(key); newParams.put(key, xssEncode((String[])str)); }else{ newParams.put(key, obj); } } /*java.lang.reflect.Field lockedField = null; try { lockedField = params.getClass().getDeclaredField("locked"); lockedField.setAccessible(true); lockedField.set(params, false); } catch (Exception e) { log.error(e.getMessage(), e); } Set<String> keySet = params.keySet(); for (Iterator iterator = keySet.iterator(); iterator.hasNext();) { String key = (String) iterator.next(); Object obj = params.get(key); if(obj instanceof String){ String str = (String) params.get(key); params.put(key, xssEncode((String)str)); }else{ String[] str = (String[]) params.get(key); params.put(key, xssEncode((String[])str)); } } if(lockedField!=null){ try { lockedField.set(params, true); } catch (Exception e) { log.error(e.getMessage(), e); } }*/ return newParams; } public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values==null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = xssEncode(values[i]); } return encodedValues; } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> * getHeaderNames 也可能需要覆盖 */ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } private static String[] xssEncode(String[] s) { String[] newStr = new String[s.length]; for(int i=0;i<s.length;i++){ newStr[i]= xssEncode(s[i]); } return newStr; } /** * 将容易引起xss漏洞的半角字符直接替换成全角字符 * * @param s * @return */ private static String xssEncode(String s) { if (s == null || "".equals(s)) { return s; } StringBuilder sb = new StringBuilder(s.length() + 16); for (int i = 0; i < s.length(); i++) { char c = s.charAt(i); switch (c) { case '>': sb.append('>');//全角大于号 break; case '<': sb.append('<');//全角小于号 break; case '\'': sb.append('‘');//全角单引号 break; case '\"': sb.append('“');//全角双引号 break; case '&': sb.append('&');//全角 break; case '\\': sb.append('\');//全角斜线 break; case '#': sb.append('#');//全角井号 break; case '-': sb.append('-');//全角井号 break; case ';': sb.append(';');//全角井号 break; default: sb.append(c); break; } } return sb.toString(); } /** * 获取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request的静态方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) req).getOrgRequest(); } return req; } }
相关推荐
Files contained in javax.servlet.jar: META-INF/MANIFEST.MF javax/servlet/http/LocalStrings.properties javax.servlet.http.HttpSessionBindingListener.class javax.servlet....
目的:tomcat10版本导致List<FileItem> fileItems = sfu.parseRequest(request) 入参的HttpServletRequest必须为:import jakarta.servlet.http.HttpServletRequest; 运行cmd,再该目录下执行: 执行步骤:java -...
首先要知道这里的request为HttpServletRequest,如果我们打印request的话,发现打印出的类型为 RequestFacade(package org.apache.catalina.connector; public class RequestFacade implements HttpServletRequest )...
原理讲解-ServletInputStream.readLine(byte[] b, int off, int len) 方法原理讲解-ServletInputStream.readLine(byte[] b, int off, int len) 方法
jakarta.servlet.jsp.jstl-api-2.0.0.jar
javax.servlet.jsp_2.0.0.v201101211617.jar,javax.,servlet,jsp
javax.servlet.jar与javax.servlet.jsp.jar
description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Servlet execution threw an exception root cause ...
javax.servlet.Filter javax.servlet.Servlet javax.servlet.FilterChain javax.servlet.http.Cookie javax.servlet.FilterConfig javax.servlet.ServletConfig javax.servlet.GenericServlet javax.servlet....
servlet-api.jar 下载地址servlet-api.jar 下载地址servlet-api.jar 下载地址servlet-api.jar 下载地址servlet-api.jar 下载地址
servletapi.rar
javax.servlet.jsp.jstl-api-1.2.1.jar
// request.setCharacterEncoding("utf-8"); // //接收method属性的值 // String methodName = request.getParameter("method"); // // //根据method属性的值调用相应的方法 // if("login".equals(methodName)){ // ...
TagSupport SimpleTagSupport tagext javax servlet jsp Tag 标签
javax.servlet JAR包,解决找不到 import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; jar包问题
赠送jar包:javax.servlet-3.0.0.v201112011016.jar; 赠送原API文档:javax.servlet-3.0.0.v201112011016-javadoc.jar; 赠送源代码:javax.servlet-3.0.0.v201112011016-sources.jar; 赠送Maven依赖信息文件:...
JSTL(Java server pages standarded tag library,即JSP标准标签库)是由JCP(Java community Proces)所制定的标准规范,它主要提供给Java Web开发人员一个标准通用的标签库,并由Apache的Jakarta小组来维护。...
不错的适合练手、课程设计、毕业设计的JSP项目源码:音乐网站(JSP+SERVLET).rar不错的适合练手、课程设计、毕业设计的JSP项目源码:音乐网站(JSP+SERVLET).rar不错的适合练手、课程设计、毕业设计的JSP项目源码:...
servlet-api.jar 适用于import javax.servlet.http.HttpSession;异常 直接下载后直接导入 即可,