主要是添加黑名单进行拦截
public class XSSFilter implements Filter { private final Log logger = LogFactory.getLog(XSSFilter.class); // XSS处理Map private static Map<String,String> xssMap = new HashMap<String,String>(); public void init(FilterConfig filterConfig) throws ServletException { // 含有脚本: script xssMap.put("[s|S][c|C][r|R][i|C][p|P][t|T]", ""); /*16进制的javascript : 6a617661736372697074 (\\\\x6a|\\\\x4a) 表示的正则含义为 (\x6a|\x4a) */ xssMap.put("((\\\\x6a|\\\\x4a)(\\\\x61|\\\\x41)(\\\\x76|\\\\x56)(\\\\x61|\\\\x41)(\\\\x73|\\\\x53)|(\\\\x63|\\\\x43)(\\\\x72|\\\\x52)(\\\\x69|\\\\x49)(\\\\x70|\\\\x50)(\\\\x74|\\\\x54))", ""); /*16进制的script : 736372697074 (\\\\x6a|\\\\x4a) 表示的正则含义为 (\x6a|\x4a) */ xssMap.put("((\\\\x73|\\\\x53)|(\\\\x63|\\\\x43)(\\\\x72|\\\\x52)(\\\\x69|\\\\x49)(\\\\x70|\\\\x50)(\\\\x74|\\\\x54))", ""); // 含有脚本 javascript xssMap.put("[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']", "\"\""); // 含有函数: eval xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", ""); // 含有符号 ( xssMap.put("\\(", "("); // 含有符号 ) xssMap.put("\\)", ")"); } public void destroy() { } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request , xssMap), response); } }