Как насчет создания XSS-фильтра и вызова его в RequestInterceptor
public class XSSRequestWrapper extends HttpServletRequestWrapper {
public XSSRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
* Get XSS stripped parameter values
* @param parameter parameter values string to be checked
* @return xss striped encoded string
*/
@Override
public String[] getParameterValues(String parameter)
{
String[] values = super.getParameterValues(parameter);
if(values == null)
{
return new String[0];
}
int count = values.length;
String[] encodedValues = new String[count];
for(int i=0; i<count; i++)
{
encodedValues[i]= stripXSS(values[i]);
}
return encodedValues;
}
/**
* Get XSS stripped parameter
* @param parameter parameter string to be checked
* @return xss striped encoded string
*/
@Override
public String getParameter(String parameter)
{
String value = super.getParameter(parameter);
return stripXSS(value);
}
/**
* Get XSS stripped header
* @param name header string to be checked
* @return xss striped encoded string
*/
@Override
public String getHeader(String name)
{
String value = super.getHeader(name);
return stripXSS(value);
}
private String stripXSS(String value)
{
return HtmlUtils.htmlEscape(value);
}
}
XSS-фильтр, как показано ниже
@WebFilter(urlPatterns = "/*")
public class XSSFilter implements Filter {
/**
* Filter initialization
* @param filterConfig FilterConfig
*/
@Override
public void init(FilterConfig filterConfig) {
// nothing required here
}
/**
* Actual filter implementation
* @param servletRequest ServletRequest
* @param servletResponse ServletResponse
* @param filterChain FilterChain
* @throws IOException IOException
* @throws ServletException ServletException
*/
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
filterChain.doFilter(new XSSRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
}
/**
* Filter destroy
*/
@Override
public void destroy() {
// nothing required here
}
}