代码如下:
$.ajax({
url: url,
type: 'post',
data: o,
cache: false,
success: function (text) {
console.dir(text);
CloseWindow("save");
},
error: function (jqXHR, textStatus, errorThrown) {
alert(jqXHR.responseText);
CloseWindow();
}
});
我使用ajax方式提交,post提交方式,手动封装data。
后端接收如下:
@At("/updateProductCfg")
public ExecuteState updateProductCfg(@Param("..") CmsLoanProduct param,HttpSession session) {
System.out.print(Json.toJson(param));
UserObject user=(UserObject)session.getAttribute("userObject");
param.setUsrModify(user.getUserId());
param.setOrgModify(user.getUserOrgName());
param.setDatModify(new Timestamp(System.currentTimeMillis()));
ExecuteState state = productCfgManagerBiz.updateProductCfg(param);
return state;
}
现在如果在param参数中有特殊字符,那么我将定义
web.xml,代码如下
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.ifs.frame.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
拦截器代码
public class XssFilter implements Filter {
FilterConfig filterConfig = null;
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
filterChain.doFilter(xssRequest, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
@Override
public void destroy() {
this.filterConfig=null;
}
}
XssHttpServletRequestWrapper代码
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
super(servletRequest);
}
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values==null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
return cleanXSS(value);
}
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null)
return null;
return cleanXSS(value);
}
private String cleanXSS(String value) {
value = value.replaceAll("&", "&");
value = value.replaceAll("#", "#");
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\"", "\");
value = value.replaceAll("'", "'");
return value;
}
现在这些代码我确无法获取到data中的值,也无法转换,各位有什么好的解决方法吗?
以我现在所知道的是参数未封装到HttpServletRequest里面导致的。但我现在无法在来修改源码了,也只有通过写过滤器来想办法