package org.eispframework.core.util;

import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:org/eispframework/core/util/XssFilter.class */
public class XssFilter implements Filter {
    private FilterConfig config;
    private static String errorPath = "webpage/login/error.jsp";
    private static String[] excludePaths = {"/eisp/cgreportconfigheadcontroller.do", "/eisp/xpsapplypricedetailcontroller.do", "/eisp/productlevelcontroller.do", "/eisp/tbkasystemlevelmcontroller.do", "/eisp/saleActivityController.do", "/eisp/saleactivitycontroller.do", "/eisp/xpsadvanceheadcontroller.do", "/eisp/xpsVerificationHeadController.do", "/eisp/xpsSalePlanController.do", "/eisp/tAcTerminalNiersonController.do", "/eisp/dataTransfer.do", "/eisp/qrcodeTerminalInfoController.do"};
    private static String[] safeless = {"<script", "</script", "<iframe", "</iframe", "<frame", "</frame", "set-cookie", "%3cscript", "%3c/script", "%3ciframe", "%3c/iframe", "%3cframe", "%3c/frame", "src=\"javascript:", "<body", "</body", "%3cbody", "%3c/body"};
    private static String[] safelessSql = {"select", "drop", "--"};

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Enumeration parameterNames = servletRequest.getParameterNames();
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        httpServletResponse.addHeader("X-Frame-OPTIONS", "SAMEORIGIN");
        if (WebServiceUrlUtil.getWebServiceUrl()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        boolean z = true;
        String requestURI = httpServletRequest.getRequestURI();
        if (!isSafe(requestURI)) {
            z = false;
        } else if (!excludeUrl(requestURI.substring(requestURI.indexOf("/")))) {
            while (parameterNames.hasMoreElements()) {
                String parameter = servletRequest.getParameter((String) parameterNames.nextElement());
                if (StringUtil.isNotEmpty(parameter) && (!isSafe(parameter) || !isSafeSql(parameter))) {
                    z = false;
                    break;
                }
            }
        }
        if (z) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            httpServletRequest.setAttribute("errorMsg", "您输入的参数有非法字符，请输入正确的参数！");
            httpServletRequest.getRequestDispatcher(errorPath).forward(httpServletRequest, httpServletResponse);
        }
    }

    private static boolean isSafe(String str) {
        if (null == str || str.length() <= 0) {
            return true;
        }
        for (String str2 : safeless) {
            if (str.toLowerCase().contains(str2)) {
                return false;
            }
        }
        return true;
    }

    private static boolean isSafeSql(String str) {
        if (!StringUtil.isNotEmpty(str)) {
            return true;
        }
        for (String str2 : safelessSql) {
            if (str.toLowerCase().contains(str2)) {
                return false;
            }
        }
        return true;
    }

    private boolean excludeUrl(String str) {
        if (excludePaths == null || excludePaths.length <= 0) {
            return false;
        }
        for (String str2 : excludePaths) {
            if (str.toLowerCase().equals(str2.toLowerCase())) {
                return true;
            }
        }
        return false;
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.config = filterConfig;
        errorPath = filterConfig.getInitParameter("errorPath");
        String initParameter = filterConfig.getInitParameter("excludePaths");
        if (null == initParameter || initParameter.length() <= 0) {
            return;
        }
        excludePaths = initParameter.split(",");
    }
}
