一概念
1防盗链
在HTTP协议中,有一个表头字段叫referer,采用URL的格式来表示从哪儿链接到当前的网页或文件,通过referer,网站可以检测目标网页访问的来源网页。有了referer跟踪来源就好办了,这时就可以通过技术手段来进行处理,一旦检测到来源不是本站即进行阻止或者返回指定的页面。
2页面中的转义字符
在HTML中,定义转义字符串的原因有两个:第一个原因是像“<”和“>”这类符号已经用来表示HTML标签,因此就不能直接当作文本中的符号来使用。为了在HTML文档中使用这些符号,就需要定义它的转义字符串。
| 字符 | 转义字符 |
| " | " |
| & | & |
| < | < |
| > | > |
| 空格 | |
-------------------------------------------------------------------------------------------------------
2.1防盗链的实现
1.tld约束
<tag> <name>referer</name> <tag-class>com.tag.RefererTag</tag-class> <body-content>empty</body-content> <attribute> <name>site</name> <required>true</required> </attribute> <attribute> <name>page</name> <required>true</required> </attribute> </tag>
2.实现了简单Tag接口的自定义Tag处理类
package com.tag; import java.io.IOException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.jsp.JspException; import javax.servlet.jsp.PageContext; import javax.servlet.jsp.SkipPageException; import javax.servlet.jsp.tagext.SimpleTagSupport; public class RefererTag extends SimpleTagSupport{ private String site; private String page; public void setSite(String site) { this.site = site; } public void setPage(String page) { this.page = page; } @Override public void doTag() throws JspException, IOException { PageContext context = (PageContext)this.getJspContext(); HttpServletRequest request = (HttpServletRequest)context.getRequest(); HttpServletResponse response = (HttpServletResponse)context.getResponse(); String referer = request.getHeader("referer"); String path = request.getContextPath(); if(referer==null||referer.startsWith(site)){ if(page.startsWith(path)) response.sendRedirect(page); else if(page.startsWith("/")) response.sendRedirect(path+page); else response.sendRedirect(path+"/"+page); // throw new SkipPageException(); 不执行
// 执行则是jsp片段invoke } } }
3. 页面引用
------------index.jsp-------------------referer.jsp-----------
4.结果页面跳转
-----------------------------------------------------------------------------------------------------------
2.2转义标签的实现
1.tld约束
<tag> <name>htmlfilter</name> <tag-class>com.tag.HtmlFilterTag</tag-class> <body-content>scriptless</body-content> <!-- <body-content>tagdependent</body-content> --> </tag>
2.自定义Tag处理类(其中Filter方法来自)
apache_tomcat-6.0.39.webappsexamplesWEB-INFclasses.util包
package com.tag; import java.io.IOException; import java.io.StringWriter; import javax.servlet.jsp.JspException; import javax.servlet.jsp.tagext.JspFragment; import javax.servlet.jsp.tagext.SimpleTagSupport; public class HtmlFilterTag extends SimpleTagSupport{ @Override public void doTag() throws JspException, IOException { JspFragment jf = this.getJspBody(); StringWriter content = new StringWriter(); jf.invoke(content); String _content = filter(content.getBuffer().toString()); this.getJspContext().getOut().write(_content); } public static String filter(String message) { if (message == null) return (null); char content[] = new char[message.length()]; message.getChars(0, message.length(), content, 0); StringBuffer result = new StringBuffer(content.length + 50); for (int i = 0; i < content.length; i++) { switch (content[i]) { case '<': result.append("<"); break; case '>': result.append(">"); break; case '&': result.append("&"); break; case '"': result.append("""); break; default: result.append(content[i]); } } return (result.toString()); } }
3.页面引用
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <%@ taglib uri="http://self-tag-with-hello" prefix="i" %> <html> <head> <title>filter</title> </head> <body> <i:htmlfilter> <a href="${pageContext.request.contextPath}/referer.jsp">小呵呵</a> <body-content>scriptless</body-content> </i:htmlfilter> </body> </html>
4.结果展示
5.body-content类型介绍
