若是系統中,沒有富文本編輯器的功能,那麼對於XSS過濾能夠採用以下方式過濾 html
若是採用了struts2,那麼須要重寫StrutsRequestWrapper java
若是沒有采用struts2,那麼直接重寫HttpServletRequestWraper app
在自定義的HttpServletRequestWraper中須要重寫getParameterMap()方法才行,以下: 編輯器
@Override public Map<String, String[]> getParameterMap() { Map<String, String[]> paramMap = super.getParameterMap(); Set<String> keySet = paramMap.keySet(); for (Iterator iterator = keySet.iterator(); iterator.hasNext();) { String key = (String) iterator.next(); String[] str = paramMap.get(key); // for(int i=0; i<str.length; i++) { // str[i] = str[i]+"1"; //這裏能夠對頁面傳入的全部值進行過濾了,你想怎麼處理就怎麼處理。好比對出入的值進行html危險字符過濾 } } return paramMap ; }
在自定義的過濾器中須要把ServletRequest轉換爲你本身的MyHttpServletRequestWraper傳進去 ide
@Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { MyHttpServletRequestWraper request = new MyHttpServletRequestWraper((HttpServletRequest)servletRequest); HttpServletResponse response = (HttpServletResponse)servletResponse; filterChain.doFilter(request, response); }
這樣在struts2注入值以前就對頁面傳過來的值進行了過濾 spa