diff --git a/ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/Filter/XssFilter.java b/ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/Filter/XssFilter.java new file mode 100644 index 00000000..c930f47b --- /dev/null +++ b/ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/Filter/XssFilter.java @@ -0,0 +1,25 @@ +package com.liuyanzhao.ssm.blog.Filter; + + +import javax.servlet.*; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; + +public class XssFilter implements Filter { + @Override + public void destroy() { + } + /** + * 过滤器用来过滤的方法 + */ + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + //包装request + XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); + chain.doFilter(xssRequest, response); + } + @Override + public void init(FilterConfig filterConfig) throws ServletException { + } + +} diff --git a/ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/Filter/XssHttpServletRequestWrapper.java b/ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/Filter/XssHttpServletRequestWrapper.java new file mode 100644 index 00000000..b325c22d --- /dev/null +++ b/ForestBlog/src/main/java/com/liuyanzhao/ssm/blog/Filter/XssHttpServletRequestWrapper.java @@ -0,0 +1,56 @@ +package com.liuyanzhao.ssm.blog.Filter; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; +import java.util.Map; + +public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { + HttpServletRequest orgRequest = null; + + public XssHttpServletRequestWrapper(HttpServletRequest request) { + super(request); + } + /** + * 覆盖getParameter方法,将参数名和参数值都做xss过滤。 + * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取 + * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 + */ + @Override + public String getParameter(String name) { + String value = super.getParameter(xssEncode(name)); + if (value != null) { + value = xssEncode(value); + } + return value; + } + @Override + public String[] getParameterValues(String name) { + String[] value = super.getParameterValues(name); + if(value != null){ + for (int i = 0; i < value.length; i++) { + value[i] = xssEncode(value[i]); + } + } + return value; + } + @Override + public Map getParameterMap() { + return super.getParameterMap(); + } + /** + * 将容易引起xss漏洞的半角字符直接替换成全角字符 在保证不删除数据的情况下保存 + * @return 过滤后的值 + */ + private static String xssEncode(String value) { + if (value == null || value.isEmpty()) { + return value; + } + value = value.replaceAll("eval\\((.*)\\)", ""); + value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); + value = value.replaceAll("(?i).*?", ""); + value = value.replaceAll("(?i).*?", ""); + value = value.replaceAll("(?i)<.*?javascript:.*?>.*?", ""); + value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?", ""); + return value; + } +} diff --git a/ForestBlog/src/main/webapp/WEB-INF/web.xml b/ForestBlog/src/main/webapp/WEB-INF/web.xml index 069ed93a..c82b7d4b 100755 --- a/ForestBlog/src/main/webapp/WEB-INF/web.xml +++ b/ForestBlog/src/main/webapp/WEB-INF/web.xml @@ -117,5 +117,13 @@ + + XssFilter + com.liuyanzhao.ssm.blog.Filter.XssFilter + + + XssFilter + /* + diff --git a/README.md b/README.md index a7eaa732..34f7ac9b 100755 --- a/README.md +++ b/README.md @@ -1,9 +1,24 @@ +最新消息,博主已开通B站账号:[Java刘哥](https://space.bilibili.com/160340478),欢迎关注,分享自己原创免费Java实战课程、各种框架实战和技巧、以及公司项目经验 +## 博主开发的其他博客或论坛项目全部在这里 +**[https://liuyanzhao.com/shop.html?k=博客](https://liuyanzhao.com/shop.html?k=博客)**
+**[https://liuyanzhao.com/shop.html?k=论坛](https://liuyanzhao.com/shop.html?k=论坛)**
+- ------------------------------------------------------------------------------- +博主提供风吟博客二次开发功能
+目前已完成但不限于以下功能(需要相关源码可以联系博主) +- 风吟博客+协同过滤推荐功能 2022年5月 +- 风吟博客+websocket私信聊天功能 2022年4月 +- 风吟博客+ElasticSearch文章搜索高亮功能 2022年3月 +- 风吟博客改造成其他博客、论坛、知识分享平台 不计其数 + +- ---------------------------------- + + 2022 最新消息 SpringBoot轻量级推荐博客 [https://github.com/saysky/recommendedblog](https://github.com/saysky/recommendedblog)
最新消息,SpringBoot博客已经开源,[SENS](https://github.com/saysky/SENS)
最新消息 SpringBoot/SSM/Duubo多个版本 [初云博客-SpringBoot版本](https://github.com/saysky/ChuyunBlog)
[更多项目、博主付费商品](https://liuyanzhao.com/shop.html) - +- ------------------------------------------------------------ # 关于项目 该博客是基于SSM实现的个人博客系统,适合初学SSM和个人博客制作的同学学习。
最新版本支持用户注册,包含用户和管理员两个角色 。