springboot 防禦XSS 攻擊的簡單實現
阿新 • • 發佈:2018-12-19
import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import java.io.IOException; /** * xss過濾器 */ @WebFilter(filterName="xssFilter",urlPatterns="/*") public class XssFilter implements Filter { FilterConfig filterConfig = null; @Override public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //對請求進行攔截,防xss處理 chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); } @Override public void destroy() { this.filterConfig = null; } }
import com.juphoon.iron.nbntax.common.utils.FilterUtil; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.util.regex.Pattern; import static java.util.regex.Pattern.*; /** * xss請求介面卡 */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } /** * 對陣列引數進行特殊字元過濾 */ @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); if (values == null) { return null; } int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } /** * 對引數中特殊字元進行過濾 */ @Override public String getParameter(String name) { String value = super.getParameter(name); if (value == null) { return null; } return cleanXSS(value); } /** * 獲取attribute,特殊字元過濾 */ @Override public Object getAttribute(String name) { Object value = super.getAttribute(name); if (value != null && value instanceof String) { cleanXSS((String) value); } return value; } /** * 對請求頭部進行特殊字元過濾 */ @Override public String getHeader(String name) { String value = super.getHeader(name); if (value == null) { return null; } return cleanXSS(value); } /** * 轉義字元,使用該方法存在一定的弊端 * * @param value * @return */ private String cleanXSS2(String value) { // 移除特殊標籤 value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("\\(", "(").replaceAll("\\)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("script", ""); return value; } private String cleanXSS(String value) { return FilterUtil.cleanXSS(value); } }
最後在啟動類上添加註解
@ServletComponentScan