smartor代码库
blame | 历史 | 原始文档
liusheng
2025-10-21 5a584a362e7f96cd457b7b06bd6f7f742e7511be 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

package com.ruoyi.common.filter;


 


import java.io.ByteArrayInputStream;


import java.io.IOException;


import javax.servlet.ReadListener;


import javax.servlet.ServletInputStream;


import javax.servlet.http.HttpServletRequest;


import javax.servlet.http.HttpServletRequestWrapper;


import org.apache.commons.io.IOUtils;


import org.springframework.http.HttpHeaders;


import org.springframework.http.MediaType;


import com.ruoyi.common.utils.StringUtils;


import com.ruoyi.common.utils.html.EscapeUtil;


 


/**


 * XSS过滤处理


 * 


 * @author ruoyi


 */


public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper


{


    /**


     * @param request


     */


    public XssHttpServletRequestWrapper(HttpServletRequest request)


    {


        super(request);


    }


 


    @Override


    public String[] getParameterValues(String name)


    {


        String[] values = super.getParameterValues(name);


        if (values != null)


        {


            int length = values.length;


            String[] escapesValues = new String[length];


            for (int i = 0; i < length; i++)


            {


                // 防xss攻击和过滤前后空格


                escapesValues[i] = EscapeUtil.clean(values[i]).trim();


            }


            return escapesValues;


        }


        return super.getParameterValues(name);


    }


 


    @Override


    public ServletInputStream getInputStream() throws IOException


    {


        // 非json类型,直接返回


        if (!isJsonRequest())


        {


            return super.getInputStream();


        }


 


        // 为空,直接返回


        String json = IOUtils.toString(super.getInputStream(), "utf-8");


        if (StringUtils.isEmpty(json))


        {


            return super.getInputStream();


        }


 


        // xss过滤


        json = EscapeUtil.clean(json).trim();


        byte[] jsonBytes = json.getBytes("utf-8");


        final ByteArrayInputStream bis = new ByteArrayInputStream(jsonBytes);


        return new ServletInputStream()


        {


            @Override


            public boolean isFinished()


            {


                return true;


            }


 


            @Override


            public boolean isReady()


            {


                return true;


            }


 


            @Override


            public int available() throws IOException


            {


                return jsonBytes.length;


            }


 


            @Override


            public void setReadListener(ReadListener readListener)


            {


            }


 


            @Override


            public int read() throws IOException


            {


                return bis.read();


            }


        };


    }


 


    /**


     * 是否是Json请求


     * 


     * @param request


     */


    public boolean isJsonRequest()


    {


        String header = super.getHeader(HttpHeaders.CONTENT_TYPE);


        return StringUtils.startsWithIgnoreCase(header, MediaType.APPLICATION_JSON_VALUE);


    }


}