EasyFilter is a Jave Web content filtering request replacement component, the user can request the following information to filter replacement:
- Replace special characters (eg:
& lt;,& gt;special mark, scripts, etc.) - Illegal keyword substitution (eg: network system does not allow the special keyword)
- SQL-injection filter (eg:
%,*,or,delete,andSQL special keyword)
Supports use properties or xml file custom filtering configuration profiles.
- Add jar:
EasyFilter-X.X.X.jar
- Maven:
<dependency>
<groupId>cn.easyproject</groupId>
<artifactId>easyfilter</artifactId>
<version>2.0.1-RELEASE</version>
</dependency>- Configure the filter in
web.xml
If there are other filter, check the filter execution sequence (filter-mapping defined order) ensure EasyFilter priority filter data. For example, there struts2 project, EasyFilter must be executed before the Struts2 StrutsPrepareAndExecuteFilter.
<filter>
<filter-name>contentFilter</filter-name>
<filter-class>cn.easyproject.easyfilter.filter.EasyFilter</filter-class>
<!-- request characterEncoding, default is utf-8 -->
<init-param>
<param-name>charset</param-name>
<param-value>utf-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>contentFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>- Custom Configuration
Create a
easyFilter.propertiesoreasyFilter.xmlin the root directory of the classpath (If not, EasyFilter uses internal default configuration fileeasyFilter-failsafe.properties). Configurations and parameters are as follows:
- Configuration way one: easyFilter.xml
<?xml version="1.0" encoding="UTF-8"?>
<easyFilter xmlns="http://www.easyproject.cn/schema/easyFilter"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.easyproject.cn/schema/easyFilter http://www.easyproject.cn/schema/easyFilter/easyfilter-2.0.xsd">
<!--######################### Request keyword filter ######################### -->
<keywordFilter>
<!-- Whether to filter keyword from request parameters
- on: Filter keyword parameter on
- off: Filter keyword parameter off
-->
<filter>on</filter>
<!--
if find keyword, use defaultReplace to replace
-->
<defaultReplace></defaultReplace>
<!--
- keyword and replace list
- Format: keyword replace
- Notice: In XML document, special characters must use character entities in place
-->
<replaceList>
<replace keyword="<" replace="&lt;"></replace>
<replace keyword=">" replace="&gt;"></replace>
<replace keyword="fuck" replace="f***"></replace>
<!--
<replace keyword="bitch" replace="love"></replace>
<replace keyword="毒品" replace="XX"></replace>
-->
</replaceList>
<!--
- exclude keyword filter parameterName list
- Format: regexParameterName##regexParameterName2##...
- Supports regex expressions
-->
<excludeParameters>
<keyword>password</keyword>
<keyword>.*.password</keyword>
<keyword>confirmPwd</keyword>
</excludeParameters>
<!--
- exculde keyword filter uri list, request.getRequestURI()
- Format: regexURI##regexURI2##...
- Supports regex expressions
-->
<excludeURI>
<!--
<uri>/test\.jsp</uri>
<uri>add\.action</uri>
-->
</excludeURI>
</keywordFilter>
<!-- ######################### SQL inject keyword filter ######################### -->
<sqlFilter>
<!--
- Whether to filter SQL inject keyword parameters
- on: Filter SQL inject keyword parameter on
- off: Filter SQL inject keyword parameter off
-->
<filter>off</filter>
<!--
- SQL inject keyword, when sqlInjectFilter is true, these words will
replace to empty by request
- Format: word##word2##...
-->
<injectFilterList>
<value>
and##exec##insert##select##delete##update##count##chr##mid##master##truncate##char##declare##or
</value>
<value>
;##-##+##,##*##%
</value>
</injectFilterList>
<!--
- inlude sql inject filter parameterName list
- Format: regexParameterName##regexParameterName##...
- Supports regex expressions
- eg. sysUser.name
-->
<includeParameters>
<!--
<value>sysUser.name</value>
-->
</includeParameters>
</sqlFilter>
</easyFilter>- Configuration way two: easyFilter.properties
# EasyFilter
# @author easyproject.cn
# @author [email protected]
# The easyFilter-failsafe.properties is a default configuration for EasyFilter, if an easyFilter.properties is not configured.
######################### Request keyword filter #########################
# Whether to filter keyword from request parameters
# on: Filter keyword parameter on
# off: Filter keyword parameter off
# if not on or off, use off
keywordFilter=on
# if find keyword, use defaultReplace to replace
defaultReplace=
# keyword and replace list
# Format: keyword,replace##keyword2,replace2##...
keywordAndReplaceList= <,< \#\# >,>
# User defined keyword filter item
# If item's keyword same to keywordAndReplaceList config, these priority
# Format: keyword=replace
# eg. bitch=love
# eg. \u6BD2\u54C1=*
fuck=f***
# exclude keyword filter parameterName list
# Format: regexParameterName##regexParameterName##...
# Supports regex expressions
excludeKeywordFilterParameters=password\#\#.*.password\#\#confirmPwd
# exculde keyword filter uri list, request.getRequestURI()
# Format: regexURI##regexURI2##...
# Supports regex expressions
# eg. excludeKeywordFilterURI=/test\.jsp##add\.action
excludeKeywordFilterURI=
######################### SQL inject keyword filter #########################
# Whether to filter SQL inject keyword parameters
# on: Filter SQL inject keyword parameter on
# off: Filter SQL inject keyword parameter off
# if not on or off, use off
sqlInjectFilter=off
# SQL inject keyword, when sqlInjectFilter is true, these words will replace to empty by request
# Format: word##word2##...
sqlInjectFilterList=and#exec#insert#select#delete# #update#count#*#%#chr#mid#master#truncate#char#declare#;#or#-#+#,
# inlude sql inject filter parameterName list
# Format: regexParameterName##regexParameterName##...
# Supports regex expressions
# eg. includeSqlInjectFilterParameters=sysUser.name
includeSqlInjectFilterParameters=If you have more comments, suggestions or ideas, please contact me.
Email:[email protected]