2 wang3274755 wang3274755 于 2016.05.06 12:06 提问

过滤器过滤特殊字符无法获取到参数

代码如下:

 $.ajax({
                url: url,
                type: 'post',
                data: o,
                cache: false,
                success: function (text) {
                    console.dir(text);
                    CloseWindow("save");
                },
                error: function (jqXHR, textStatus, errorThrown) {
                    alert(jqXHR.responseText);
                    CloseWindow();
                }
            });

我使用ajax方式提交,post提交方式,手动封装data。
后端接收如下:

 @At("/updateProductCfg")
    public ExecuteState updateProductCfg(@Param("..") CmsLoanProduct param,HttpSession session) {
        System.out.print(Json.toJson(param));
        UserObject user=(UserObject)session.getAttribute("userObject");
        param.setUsrModify(user.getUserId());
        param.setOrgModify(user.getUserOrgName());
        param.setDatModify(new Timestamp(System.currentTimeMillis()));
        ExecuteState state = productCfgManagerBiz.updateProductCfg(param);
        return state;
    }

现在如果在param参数中有特殊字符,那么我将定义
web.xml,代码如下

  <filter>
        <filter-name>XssFilter</filter-name>
        <filter-class>com.ifs.frame.filter.XssFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>XssFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

拦截器代码

 public class XssFilter implements Filter {

    FilterConfig filterConfig = null;
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
            ServletException {
            XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
            (HttpServletRequest) request);
            filterChain.doFilter(xssRequest, response);

    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }

    @Override
    public void destroy() {
        this.filterConfig=null;
    }

}

XssHttpServletRequestWrapper代码

 public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
    }
    public String[] getParameterValues(String parameter) {
      String[] values = super.getParameterValues(parameter);
      if (values==null)  {
                  return null;
          }
      int count = values.length;
      String[] encodedValues = new String[count];
      for (int i = 0; i < count; i++) {
                 encodedValues[i] = cleanXSS(values[i]);
       }
      return encodedValues;
    }
    public String getParameter(String parameter) {
          String value = super.getParameter(parameter);
          if (value == null) {
                 return null;
                  }
          return cleanXSS(value);
    }
    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (value == null)
            return null;
        return cleanXSS(value);
    }   
    private String cleanXSS(String value) {
        value = value.replaceAll("&", "&amp;");
        value = value.replaceAll("#", "&#35;");
        value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
        value = value.replaceAll("\"", "&#92;");
        value = value.replaceAll("'", "&#39;");
        return value;
    }

现在这些代码我确无法获取到data中的值,也无法转换,各位有什么好的解决方法吗?

以我现在所知道的是参数未封装到HttpServletRequest里面导致的。但我现在无法在来修改源码了,也只有通过写过滤器来想办法

1个回答

devmiao
devmiao   Ds   Rxr 2016.05.07 06:51
Csdn user default icon
上传中...
上传图片
插入图片
准确详细的回答,更有利于被提问者采纳,从而获得C币。复制、灌水、广告等回答会被删除,是时候展现真正的技术了!