Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/xcode/7.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
如何在java过滤器中更改servlet请求主体?_Java_Servlets_Xss_Servlet Filters - Fatal编程技术网
Fatal编程技术网
  • java/
  • 如何在java过滤器中更改servlet请求主体?

如何在java过滤器中更改servlet请求主体?

java servlets

如何在java过滤器中更改servlet请求主体?,java,servlets,xss,servlet-filters,Java,Servlets,Xss,Servlet Filters,如何更改java筛选器中的请求正文以防止XSS攻击? 我构建了HttpServletRequestWrapper,并使用getparameter作为变更主体,但是 获取流关闭异常。XSSFilter.java java java 由于我没有足够的声誉来添加评论,我将添加它作为一个答案。三年后,我找到了公认的答案,节省了我的时间。同时,我还必须解决一些问题,并因此添加 (1) 错误(缺少对rawData的赋值) (2) 随着时间的推移,需要改变。参考: 实际上不起作用。过滤器已被调用,但主体仍然是

如何更改java筛选器中的请求正文以防止
XSS
攻击? 我构建了
HttpServletRequestWrapper
,并使用
getparameter
作为变更主体,但是 获取流关闭异常。

XSSFilter.java java java
由于我没有足够的声誉来添加评论,我将添加它作为一个答案。三年后,我找到了公认的答案,节省了我的时间。同时,我还必须解决一些问题,并因此添加

(1) 错误(缺少对rawData的赋值)

(2) 随着时间的推移,需要改变。参考:

实际上不起作用。过滤器已被调用,但主体仍然是原始的方法getInputStream和getReader,尚未调用HelpCome to StackOverflow!请慢慢来,阅读上的帮助部分。“因为我没有足够的声誉来添加评论”-这不是悲剧,因果报应会降临到你身上,记住古老的格言:“潜伏更多” 
public class XSSFilter implements Filter {


@Override
public void init(FilterConfig filterConfig) throws ServletException {
}

@Override
public void destroy() {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

    XSSRequestWrapper wrappedRequest = new XSSRequestWrapper(
            (HttpServletRequest) request);

    String body = IOUtils.toString(wrappedRequest.getReader());


    if(!"".equals(body))
    {
        JSONObject oldJsonObject = new JSONObject(body);
        JSONObject newJsonObject = new JSONObject();

        for(String key : oldJsonObject.keySet())
        {
            newJsonObject.put(key, XSSUtils.stripXSS(oldJsonObject.get(key).toString()));
        }
        wrappedRequest.resetInputStream(newJsonObject.toString().getBytes());

    }


    chain.doFilter(wrappedRequest, response);
 }
}

public class XSSRequestWrapper extends HttpServletRequestWrapper {


private byte[] rawData;
private HttpServletRequest request;
private ResettableServletInputStream servletStream;

public XSSRequestWrapper(HttpServletRequest request) {
    super(request);
    this.request = request;
    this.servletStream = new ResettableServletInputStream();
}


public void resetInputStream(byte[] newRawData) {
    servletStream.stream = new ByteArrayInputStream(newRawData);
}

@Override
public ServletInputStream getInputStream() throws IOException {
    if (rawData == null) {
        rawData = IOUtils.toByteArray(this.request.getReader());
        servletStream.stream = new ByteArrayInputStream(rawData);
    }
    return servletStream;
}

@Override
public BufferedReader getReader() throws IOException {
    if (rawData == null) {
        rawData = IOUtils.toByteArray(this.request.getReader());
        servletStream.stream = new ByteArrayInputStream(rawData);
    }
    return new BufferedReader(new InputStreamReader(servletStream));
}

private class ResettableServletInputStream extends ServletInputStream {

    private InputStream stream;

    @Override
    public int read() throws IOException {
        return stream.read();
     }
   }
 }

public class XSSUtils {

private XSSUtils()
{

}

public static String stripXSS(String value) {
    return value == null ? value : escapeHtml4(value);
  }
}

public void resetInputStream(byte[] newRawData) {
    rawData = newRawData;
    servletStream.stream = new ByteArrayInputStream(newRawData);
}