***********注意此方法只能解决getParameter()方法取得参数转义,若要彻底解决getParameterMap()和getParameterValues()方法取得参数的转义,则需要使用“关于Filter 覆盖getParameterMap 来实现功能”这篇博文中的方法*******************************************************************************************************************
在客户端提交过来的text片段中,有可能会存在恶意代码。
利用Filter和装饰设计技术来增强getParameter()方法使代码片段进行转义,从而达到输入什么内容就输出什么内容。
建立过滤器类HtmlFilter
package filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* HTML转义
*
* @author seawind
*
*/
public class HtmlFilter implements Filter {
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(new HtmlRequest((HttpServletRequest) request), response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
}
}
class HtmlRequest extends HttpServletRequestWrapper {
private HttpServletRequest request;
public HtmlRequest(HttpServletRequest request) {
super(request);
this.request = request;
}
@Override
public String getParameter(String name) {
String value = request.getParameter(name);
return filter(value);
}
public static String filter(String message) {
if (message == null)
return (null);
char content[] = new char[message.length()];
message.getChars(0, message.length(), content, 0);
StringBuffer result = new StringBuffer(content.length + 50);
for (int i = 0; i < content.length; i++) {
switch (content[i]) {
case '<':
result.append("<");
break;
case '>':
result.append(">");
break;
case '&':
result.append("&");
break;
case '"':
result.append(""");
break;
default:
result.append(content[i]);
}
}
return (result.toString());
}
}
然后再web.xml 中对 HtmlFilter 进行配置,在servlet中直接调用增强之后的request即可实现对提交内容的转义。