如何在java过滤器中更改servlet请求主体?
如何更改java筛选器中的请求正文以防止如何在java过滤器中更改servlet请求主体?,java,servlets,xss,servlet-filters,Java,Servlets,Xss,Servlet Filters,如何更改java筛选器中的请求正文以防止XSS攻击? 我构建了HttpServletRequestWrapper,并使用getparameter作为变更主体,但是 获取流关闭异常。XSSFilter.java java java 由于我没有足够的声誉来添加评论,我将添加它作为一个答案。三年后,我找到了公认的答案,节省了我的时间。同时,我还必须解决一些问题,并因此添加 (1) 错误(缺少对rawData的赋值) (2) 随着时间的推移,需要改变。参考: 实际上不起作用。过滤器已被调用,但主体仍然是
XSS
攻击?
我构建了HttpServletRequestWrapper
,并使用getparameter
作为变更主体,但是
获取流关闭异常。XSSFilter.java
java
java
由于我没有足够的声誉来添加评论,我将添加它作为一个答案。三年后,我找到了公认的答案,节省了我的时间。同时,我还必须解决一些问题,并因此添加 (1) 错误(缺少对rawData的赋值) (2) 随着时间的推移,需要改变。参考:
实际上不起作用。过滤器已被调用,但主体仍然是原始的方法getInputStream和getReader,尚未调用HelpCome to StackOverflow!请慢慢来,阅读上的帮助部分。“因为我没有足够的声誉来添加评论”-这不是悲剧,因果报应会降临到你身上,记住古老的格言:“潜伏更多”
public class XSSFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XSSRequestWrapper wrappedRequest = new XSSRequestWrapper(
(HttpServletRequest) request);
String body = IOUtils.toString(wrappedRequest.getReader());
if(!"".equals(body))
{
JSONObject oldJsonObject = new JSONObject(body);
JSONObject newJsonObject = new JSONObject();
for(String key : oldJsonObject.keySet())
{
newJsonObject.put(key, XSSUtils.stripXSS(oldJsonObject.get(key).toString()));
}
wrappedRequest.resetInputStream(newJsonObject.toString().getBytes());
}
chain.doFilter(wrappedRequest, response);
}
}
public class XSSRequestWrapper extends HttpServletRequestWrapper {
private byte[] rawData;
private HttpServletRequest request;
private ResettableServletInputStream servletStream;
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
this.servletStream = new ResettableServletInputStream();
}
public void resetInputStream(byte[] newRawData) {
servletStream.stream = new ByteArrayInputStream(newRawData);
}
@Override
public ServletInputStream getInputStream() throws IOException {
if (rawData == null) {
rawData = IOUtils.toByteArray(this.request.getReader());
servletStream.stream = new ByteArrayInputStream(rawData);
}
return servletStream;
}
@Override
public BufferedReader getReader() throws IOException {
if (rawData == null) {
rawData = IOUtils.toByteArray(this.request.getReader());
servletStream.stream = new ByteArrayInputStream(rawData);
}
return new BufferedReader(new InputStreamReader(servletStream));
}
private class ResettableServletInputStream extends ServletInputStream {
private InputStream stream;
@Override
public int read() throws IOException {
return stream.read();
}
}
}
public class XSSUtils {
private XSSUtils()
{
}
public static String stripXSS(String value) {
return value == null ? value : escapeHtml4(value);
}
}
public void resetInputStream(byte[] newRawData) {
rawData = newRawData;
servletStream.stream = new ByteArrayInputStream(newRawData);
}