You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
97 lines
2.7 KiB
97 lines
2.7 KiB
package com.ruoyi.common.filter; |
|
|
|
import java.io.IOException; |
|
import java.util.ArrayList; |
|
import java.util.List; |
|
import java.util.regex.Matcher; |
|
import java.util.regex.Pattern; |
|
import javax.servlet.Filter; |
|
import javax.servlet.FilterChain; |
|
import javax.servlet.FilterConfig; |
|
import javax.servlet.ServletException; |
|
import javax.servlet.ServletRequest; |
|
import javax.servlet.ServletResponse; |
|
import javax.servlet.http.HttpServletRequest; |
|
import javax.servlet.http.HttpServletResponse; |
|
import com.ruoyi.common.utils.StringUtils; |
|
|
|
/** |
|
* 防止XSS攻击的过滤器 |
|
* |
|
* @author ruoyi |
|
*/ |
|
public class XssFilter implements Filter |
|
{ |
|
/** |
|
* 排除链接 |
|
*/ |
|
public List<String> excludes = new ArrayList<>(); |
|
|
|
/** |
|
* xss过滤开关 |
|
*/ |
|
public boolean enabled = false; |
|
|
|
@Override |
|
public void init(FilterConfig filterConfig) throws ServletException |
|
{ |
|
String tempExcludes = filterConfig.getInitParameter("excludes"); |
|
String tempEnabled = filterConfig.getInitParameter("enabled"); |
|
if (StringUtils.isNotEmpty(tempExcludes)) |
|
{ |
|
String[] url = tempExcludes.split(","); |
|
for (int i = 0; url != null && i < url.length; i++) |
|
{ |
|
excludes.add(url[i]); |
|
} |
|
} |
|
if (StringUtils.isNotEmpty(tempEnabled)) |
|
{ |
|
enabled = Boolean.valueOf(tempEnabled); |
|
} |
|
} |
|
|
|
@Override |
|
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) |
|
throws IOException, ServletException |
|
{ |
|
HttpServletRequest req = (HttpServletRequest) request; |
|
HttpServletResponse resp = (HttpServletResponse) response; |
|
if (handleExcludeURL(req, resp)) |
|
{ |
|
chain.doFilter(request, response); |
|
return; |
|
} |
|
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); |
|
chain.doFilter(xssRequest, response); |
|
} |
|
|
|
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) |
|
{ |
|
if (!enabled) |
|
{ |
|
return true; |
|
} |
|
if (excludes == null || excludes.isEmpty()) |
|
{ |
|
return false; |
|
} |
|
String url = request.getServletPath(); |
|
for (String pattern : excludes) |
|
{ |
|
Pattern p = Pattern.compile("^" + pattern); |
|
Matcher m = p.matcher(url); |
|
if (m.find()) |
|
{ |
|
return true; |
|
} |
|
} |
|
return false; |
|
} |
|
|
|
@Override |
|
public void destroy() |
|
{ |
|
|
|
} |
|
} |