我想过滤掉非法字符,sql字符和html,css,javascript等,不知道怎么做。
这只是提供一个样本让你参观下,
可以以参数的方式来配置正则表达式,以过滤字符,当然这部分要自己去实现
<!-- 过滤器 -->
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>com.zte.ssb.filter.EncodingFilter</filter-class>
<init-param>
<param-name>filtCharReg</param-name>
<param-value>这里就配置正则表达式</param-value>
</init-param>
</filter>
当然你还要在init方法里读取这个配置来解析
用StringEscapeUtils这个类试试,google一下,看是不是你想要的
记录:非法字符过滤 servletFilter,用户session验证servletFilter2010-02-03 11:19servletFilter 是非常强大的。
能过滤 页面提交过来的所有参数的内容,,例如用户可能会在表单中加入<script>这种字符,后果可是恐怖的。</p> <p>现在发布一个非法字符转义的filter</p> <p>JAVA CODE:</p> <p>package com.jcxsw.filter;</p> <p>import java.io.IOException;</p> <p>import javax.servlet.Filter;<br> import javax.servlet.FilterChain;<br> import javax.servlet.FilterConfig;<br> import javax.servlet.ServletException;<br> import javax.servlet.ServletRequest;<br> import javax.servlet.ServletResponse;<br> import javax.servlet.http.HttpServletRequest;<br> import javax.servlet.http.HttpServletResponse;</p> <p>public class IllegalCharacterFilter implements Filter {</p> <p>private static final long serialVersionUID = -5916500037685553487L;</p> <p>public void destroy() {<br> // TODO Auto-generated method stub</p> <p>}</p> <p>@SuppressWarnings("unchecked")<br> public void doFilter(ServletRequest request, ServletResponse response,<br> FilterChain arg2) throws IOException, ServletException {<br> HttpServletRequest servletrequest = (HttpServletRequest) request;<br> HttpServletResponse servletresponse = (HttpServletResponse) response; <br> String param = "";<br> String paramValue = "";</p> <p>servletresponse.setContentType("text/html");<br> servletresponse.setCharacterEncoding("gbk");<br> servletrequest.setCharacterEncoding("gbk");<br> java.util.Enumeration params = request.getParameterNames();<br> while (params.hasMoreElements()) {</p> <pre><code>param = (String) params.nextElement(); String[] values = servletrequest.getParameterValues(param);//获得每个参数的value for (int i = 0; i < values.length; i++) { paramValue = values[i]; paramValue = paramValue.replaceAll("<", "&lt"); paramValue = paramValue.replaceAll(">", "&gt"); //这里还可以增加,如领导人 自动转义成****,可以从数据库中读取非法关键字。 values[i] = paramValue; } </code></pre> <p>//把转义后的参数重新放回request中<br> request.setAttribute(param, paramValue);<br> }<br> //继续向下</p> <p>arg2.doFilter(request, response);</p> <p>}</p> <p>public void init(FilterConfig arg0) throws ServletException {<br> // 初始化</p> <p>}</p> <p>}</p> <p>web.xml code</p> <!-- 过滤非法字符 --> <p><filter><br> <filter-name>IllegalCharacterFilter</filter-name><br> <filter-class><br> com.jcxsw.filter.IllegalCharacterFilter<br> </filter-class><br> </filter><br> <filter-mapping><br> <filter-name>IllegalCharacterFilter</filter-name><br> <url-pattern>/*</url-pattern> <!--这种配置,可能连图片都会被过滤在内,它不支持不等于,与正则,不过可以在初始化中自己定义正则,通过filter来解析,把不符合的pass掉--><br> </filter-mapping></p> <p>再发布一个验证session的filter</p> <p>JAVA CODE:</p> <p>package com.jcxsw.filter;</p> <p>import java.io.IOException;</p> <p>import javax.servlet.Filter;<br> import javax.servlet.FilterChain;<br> import javax.servlet.FilterConfig;<br> import javax.servlet.ServletException;<br> import javax.servlet.ServletRequest;<br> import javax.servlet.ServletResponse;<br> import javax.servlet.http.HttpServletRequest;<br> import javax.servlet.http.HttpServletResponse;</p> <p>import com.jcxsw.member.vo.MemberUser;</p> <p>public class MemberAuthorityFilter implements Filter {</p> <p>public void destroy() {<br> // TODO Auto-generated method stub</p> <p>}</p> <p>public void doFilter(ServletRequest request, ServletResponse response,<br> FilterChain chain) throws IOException, ServletException {<br> // TODO Auto-generated method stub<br> HttpServletRequest httpReq = (HttpServletRequest) request;<br> HttpServletResponse httpRes = (HttpServletResponse) response;<br> if (request instanceof HttpServletRequest) {<br> MemberUser memberUser = (MemberUser)httpReq.getSession()<br><br> .getAttribute("memberUser");</p> <pre><code>if(memberUser == null){ httpRes.sendRedirect(httpReq.getContextPath()+"/member-user/login"); return; } </code></pre> <p>}<br> chain.doFilter(request, response);</p> <p>}</p> <p>public void init(FilterConfig filterConfig) throws ServletException {<br> // TODO Auto-generated method stub</p> <p>}</p> <p>}<br> web.xml CODE</p> <p><filter-name>MemberAuthorityFilter</filter-name><br> <filter-class><br> com.jcxsw.filter.MemberAuthorityFilter<br> </filter-class><br> </filter><br> <filter-mapping><br> <filter-name>MemberAuthorityFilter</filter-name><br> <url-pattern>/my/*</url-pattern><!--验证所有my目录下的--><br> </filter-mapping></p>