问题
I have implemented an XSS filter as given below,
@Override
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
return stripXSS(value);
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return stripXSS(value);
}
private String stripXSS(String value)
{
System.err.println("Initial Value "+value);
if (value != null)
{
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
value = ESAPI.encoder().canonicalize(value);
System.err.println("Encoded Value "+value);
// Avoid null characters
value = value.replaceAll("\0", "");
// Remove all sections that match a pattern
for (Pattern scriptPattern : patterns){
value = scriptPattern.matcher(value).replaceAll("");
}
System.err.println("Pattern Value "+value);
}
System.err.println("Final Value "+value);
return value;
}
Almost all request pass through one of these methods, but when I use a Struts2 model driven approach these methods are not invoked. How does struts retrieve the parameters, where I can strip the parameters.
回答1:
Struts2 creates a map of parameters from the request using request.getParameterMap() and put these parameters to the action context. So, you can create an interceptor that getting these parameters from the context and do what you want. Add a new interceptor to all actions either using custom stack or overridden action config.
回答2:
Dont mess filters and interceptors, they are completely different things.
In order to make things easier to Struts I'd recommend to use interceptors to prevent XSS attacks. Play with this parameter within the Action Context.
If you prefer to use filters, you will have to re-introduced modified variable in the request, that's imho not a good practice.
来源:https://stackoverflow.com/questions/32139956/how-does-struts2-read-parameters-from-request