package com.ruoyi.common.filter;
|
|
import java.io.IOException;
|
import java.util.ArrayList;
|
import java.util.List;
|
import javax.servlet.Filter;
|
import javax.servlet.FilterChain;
|
import javax.servlet.FilterConfig;
|
import javax.servlet.ServletException;
|
import javax.servlet.ServletRequest;
|
import javax.servlet.ServletResponse;
|
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletResponse;
|
import com.ruoyi.common.utils.StringUtils;
|
import com.ruoyi.common.enums.HttpMethod;
|
|
/**
|
* 防止XSS攻击的过滤器
|
*
|
* @author ruoyi
|
*/
|
public class XssFilter implements Filter
|
{
|
/**
|
* 排除链接
|
*/
|
public List<String> excludes = new ArrayList<>();
|
|
@Override
|
public void init(FilterConfig filterConfig) throws ServletException
|
{
|
String tempExcludes = filterConfig.getInitParameter("excludes");
|
if (StringUtils.isNotEmpty(tempExcludes))
|
{
|
String[] url = tempExcludes.split(",");
|
for (int i = 0; url != null && i < url.length; i++)
|
{
|
excludes.add(url[i]);
|
}
|
}
|
}
|
|
@Override
|
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
|
throws IOException, ServletException
|
{
|
HttpServletRequest req = (HttpServletRequest) request;
|
HttpServletResponse resp = (HttpServletResponse) response;
|
if (handleExcludeURL(req, resp))
|
{
|
chain.doFilter(request, response);
|
return;
|
}
|
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
|
chain.doFilter(xssRequest, response);
|
}
|
|
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response)
|
{
|
String url = request.getServletPath();
|
String method = request.getMethod();
|
// GET DELETE 不过滤
|
if (method == null || HttpMethod.GET.matches(method) || HttpMethod.DELETE.matches(method))
|
{
|
return true;
|
}
|
return StringUtils.matches(url, excludes);
|
}
|
|
@Override
|
public void destroy()
|
{
|
|
}
|
}
|
