现有的Web应用程序正在Tomcat 4.1上运行.页面存在XSS问题,但我无法修改源代码.我决定编写一个servlet过滤器来在页面看到之前清理参数.
我想写一个像这样的Filter类:
import java.io.*;
import javax.servlet.*;
public final class XssFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
{
String badValue = request.getParameter("dangerousParamName");
String goodValue = sanitize(badValue);
request.setParameter("dangerousParamName", goodValue);
chain.doFilter(request, response);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) {
}
}
但ServletRequest.setParameter不存在.
在将请求传递给链之前,如何更改请求参数的值?
有一个需要通过自定义http标头获取信息的四方派对应用程序,因此我编写了一个简单的测试应用程序,创建此标题,然后重定向到列出所有标题的页面.
生成标头的servlet片段是:
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/plain");
response.setHeader("cust-header", "cust-val");
response.sendRedirect("header.jsp");
}
另一方面,header.jsp的相关代码是:
<%
Enumeration enumeration = request.getHeaderNames();
while (enumeration.hasMoreElements()) {
String string = (String)enumeration.nextElement();
out.println("<font size = 6>" +string +": " + request.getHeader(string)+ "</font><br>");
}
%>
这会显示以下标题:
Host: localhost:9082
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; es-ES; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:9082/HdrTest/login.jsp
Cookie: JSESSIONID=0000tubMmZOXDyuM4X9RmaYYTg4:-1
好像从未插入自定义标头.我该如何解决?
谢谢