xss漏洞修复

git-svn-id: https://192.168.57.71/svn/jsgkj@1906 931142cf-59ea-a443-aa0e-51397b428577

gkoa/trunk/gkoa/src/com/xtframe/core/filter/XssHttpServletRequestWrapper.java

@@ -1,47 +1,78 @@
 package com.xtframe.core.filter;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 
-public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  
-    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
-        super(servletRequest);
-    }
-    public String[] getParameterValues(String parameter) {
-      String[] values = super.getParameterValues(parameter);
-      if (values==null)  {
-                  return null;
-          }
-      int count = values.length;
-      String[] encodedValues = new String[count];
-      for (int i = 0; i < count; i++) {
-                 encodedValues[i] = cleanXSS(values[i]);
-       }
-      return encodedValues;
-    }
-    public String getParameter(String parameter) {
-          String value = super.getParameter(parameter);
-          if (value == null) {
-                 return null;
-                  }
-          return cleanXSS(value);
-    }
-    public String getHeader(String name) {
-        String value = super.getHeader(name);
-        if (value == null)
-            return null;
-        return cleanXSS(value);
-    }
-    private String cleanXSS(String value) {
-                //You'll need to remove the spaces from the html entities below
-        //value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
-        //value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
-        //value = value.replaceAll("'", "& #39;");
-        value = value.replaceAll("eval\\((.*)\\)", "");
-        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
-        value = value.replaceAll("script", "");
-        value = value.replaceAll("alert", "");
-       // value = value.replaceAll("%", "\\\\u0025");
-        return value;
-    }
-
-} 
+public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
+	/** 不处理的请求 */
+	public static final String EXCLUDE_EXP = "user-agent|Accept";
+
+	public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
+		super(servletRequest);
+	}
+
+	public String[] getParameterValues(String parameter) {
+		String[] values = super.getParameterValues(parameter);
+		if (values == null) {
+			return null;
+		}
+		int count = values.length;
+		String[] encodedValues = new String[count];
+		for (int i = 0; i < count; i++) {
+			encodedValues[i] = cleanXSS(values[i]);
+		}
+		return encodedValues;
+	}
+
+	public String getParameter(String parameter) {
+		String value = super.getParameter(parameter);
+		if (value == null) {
+			return null;
+		}
+		return cleanXSS(value);
+	}
+
+	public String getHeader(String name) {
+		String value = super.getHeader(name);
+		if (value == null)
+			return null;
+		if (name.matches(EXCLUDE_EXP)) {
+			return value;
+		}
+		return cleanXSS(value);
+	}
+
+	private String cleanXSS(String input) {
+		if (input == null || input.length() == 0) {
+			return input;
+		}
+		StringBuilder sb = new StringBuilder(input.length());
+		for (int i = 0, c = input.length(); i < c; i++) {
+			char ch = input.charAt(i);
+			switch (ch) {
+			case '&':
+				sb.append("&amp;");
+				break;
+			case '<':
+				sb.append("&lt;");
+				break;
+			case '>':
+				sb.append("&gt;");
+				break;
+			case '"':
+				sb.append("&quot;");
+				break;
+			case '\'':
+				sb.append("&#x27;");
+				break;
+			case '/':
+				sb.append("&#x2F;");
+				break;
+			default:
+				sb.append(ch);
+			}
+		}
+		return sb.toString();
+	}
+
+}