public class XSSFilter implements Filter {

    private final Log logger = LogFactory.getLog(XSSFilter.class);

     // XSS处理Map

    private static  Map<String,String> xssMap = new HashMap<String,String>();

    public void init(FilterConfig filterConfig) throws ServletException {

        // 含有脚本： script

        xssMap.put("[s|S][c|C][r|R][i|C][p|P][t|T]", "");

        /*16进制的javascript : 6a617661736372697074

             (\\\\x6a|\\\\x4a)  表示的正则含义为  (\x6a|\x4a)

          */

        xssMap.put("((\\\\x6a|\\\\x4a)(\\\\x61|\\\\x41)(\\\\x76|\\\\x56)(\\\\x61|\\\\x41)(\\\\x73|\\\\x53)|(\\\\x63|\\\\x43)(\\\\x72|\\\\x52)(\\\\x69|\\\\x49)(\\\\x70|\\\\x50)(\\\\x74|\\\\x54))", "");

        /*16进制的script : 736372697074

         (\\\\x6a|\\\\x4a)  表示的正则含义为  (\x6a|\x4a)

         */

        xssMap.put("((\\\\x73|\\\\x53)|(\\\\x63|\\\\x43)(\\\\x72|\\\\x52)(\\\\x69|\\\\x49)(\\\\x70|\\\\x50)(\\\\x74|\\\\x54))", "");

        // 含有脚本 javascript

        xssMap.put("[\\\"\\\'][\\s]*[j|J][a|A][v|V][a|A][s|S][c|C][r|R][i|I][p|P][t|T]:(.*)[\\\"\\\']", "\"\"");

        // 含有函数： eval

        xssMap.put("[e|E][v|V][a|A][l|L]\\((.*)\\)", "");

        // 含有符号 (

        xssMap.put("\\(", "（");

        // 含有符号 )

        xssMap.put("\\)", "）");

    }

    public void destroy() {

    }

    public void doFilter(ServletRequest request, ServletResponse response,

            FilterChain chain) throws IOException, ServletException {

        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request , xssMap), response);

    }

}

package com.ulic.misp.wx.oauth2;

import java.util.Map;

import java.util.Set;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

import com.ulic.misp.pub.framework.log.Log;

import com.ulic.misp.pub.framework.log.LogFactory;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private final Log logger = LogFactory.getLog(XssHttpServletRequestWrapper.class);

    private Map<String, String> xssMap;

    public XssHttpServletRequestWrapper(HttpServletRequest request) {

        super(request);

    }

    public XssHttpServletRequestWrapper(HttpServletRequest request,

            Map<String, String> xssMap) {

        super(request);

        this.xssMap = xssMap;

    }

    @Override

    public String getQueryString() {

        String queryString =  super.getQueryString();

        if(queryString==null){

            return null;

        }

        queryString = cleanXSS(queryString);

        logger.info("queryString :{}",queryString);

        return queryString;

    }

    @Override

    public String[] getParameterValues(String parameter) {

        String[] values = super.getParameterValues(parameter);

        if (values == null) {

            return null;

        }

        int count = values.length;

        // 遍历每一个参数，检查是否含有

        String[] encodedValues = new String[count];

        for (int i = 0; i < count; i++) {

            encodedValues[i] = cleanXSS(values[i]);

        }

        return encodedValues;

    }

    @Override

    public String getParameter(String parameter) {

        String value = super.getParameter(parameter);

        if (value == null) {

            return null;

        }

        return cleanXSS(value);

    }

    public String getHeader(String name) {

        String value = super.getHeader(name);

        if (value == null)

            return null;

        return cleanXSS(value);

    }

    /**

     *

     * 清除恶意的XSS脚本

     *

     *

     *

     * @param value

     *

     * @return

     *

     */

    private String cleanXSS(String value) {

        Set<String> keySet = xssMap.keySet();

        for (String key : keySet) {

            String v = xssMap.get(key);

            value = value.replaceAll(key, v);

        }

        return value;

    }

}