springboot xss 注入問題
阿新 • • 發佈:2018-11-22
思路
使用全域性過濾的方式來預防xss注入問題
當然thymeleaf 模板也可以用來預防xss注入
這裡採用Jsoup 來防止xss注入
步驟
一 匯入jar包
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.11.3</version>
</dependency>
相關程式碼 一共兩個檔案
過濾器程式碼
package com.***.config.xss; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; /** * xss 過濾器 * * @author imsjw * Create Time: 2018/8/10 */ @WebFilter public class XssFilter implements Filter { /** * 白名單 */ public List<String> whiteList = new ArrayList<>(); @Override public void init(FilterConfig filterConfig) throws ServletException { /** * 示例 */ whiteList.add("/user/mgr"); whiteList.add("白名單路徑"); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; if (isWhiteList(req, resp)) { chain.doFilter(request, response); return; } XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); chain.doFilter(xssRequest, response); } private boolean isWhiteList(HttpServletRequest request, HttpServletResponse response) { for (int i = 0; i < whiteList.size(); i++) { String servletPath = request.getServletPath(); if (whiteList.get(i).equals(servletPath)) { return true; } } return false; } @Override public void destroy() { } }
過濾程式碼
package com.***.config.xss; import org.jsoup.Jsoup; import org.jsoup.safety.Whitelist; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * XSS過濾處理 * * @author ruoyi */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { /** * @param request */ public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if (values != null) { int length = values.length; String[] escapseValues = new String[length]; for (int i = 0; i < length; i++) { // 防xss攻擊和過濾前後空格 escapseValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim(); } return escapseValues; } return super.getParameterValues(name); } }