SpringBoot+Xss过滤(@RequestBody参数过滤Xss)记⼀次SpringBoot+Xss过滤
XssFilter过滤器
import org.springframework.stereotype.Component;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipartmons.CommonsMultipartResolver;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import com.jfinal.kit.StrKit;
/**
* @ProjectName: smt
* @ClassName:
* @Description:
* @Author: yue zhenbin
* @Date: 2021/7/7 9:16
*/
@Component
@WebFilter(urlPatterns = "/*", filterName = "xssFilter")
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {        String contentType = ContentType();
if (Blank(contentType) && ains("multipart/form-data")) {//对图⽚上传不进⾏xss过滤
chain.doFilter(request, response);
}else {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
chain.doFilter(xssRequest, response);
}
}
@Override
public void destroy() {}
}
XssHttpServletRequestWrapper过滤规则类
主要针对@RequestBody进⾏的参数过滤
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.Charset;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apachemons.lang3.StringUtils;
import org.jsoup.Jsoup;
import des.Document;
import des.Document.OutputSettings;
import org.jsoup.safety.Whitelist;
import org.springframework.util.StreamUtils;
import com.alibaba.fastjson.JSONObject;
/**
* XSS过滤处理
*
* @author ruoyi
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
//使⽤basic()
private static final Whitelist whitelist = createWhitelist();
private static final OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);    private byte[] requestBody;
private Charset charSet;
private static Whitelist createWhitelist() {
return Whitelist.basic();
}
private static String filter(String value) {
if(value!=null) {
value = Jsoup.clean(value, "", whitelist, outputSettings).trim();
}
return value;
}
/**
*
* @param request
*/
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
//缓存请求body
try {
String requestBodyStr = getRequestPostStr(request);
requestBodyStr=filterBadString(requestBodyStr);
if (StringUtils.isNotBlank(requestBodyStr)) {
requestBodyStr=filter(requestBodyStr);
JSONObject resultJson = JSONObject.parseObject(requestBodyStr);
requestBody = String().getBytes(charSet);
} else {
requestBody = new byte[0];
}
} catch (IOException e) {
e.printStackTrace();
}
}
/**
* 获取POST请求体中数据
* @param request
* @return
* @throws IOException
*/
public String getRequestPostStr(HttpServletRequest request)
throws IOException {
String charSetStr = CharacterEncoding();
if (charSetStr == null) {
charSetStr = "UTF-8";
}
charSet = Charset.forName(charSetStr);
InputStream(), charSet);
}
@Override
public ServletInputStream getInputStream() {
if (requestBody == null) {
requestBody = new byte[0];
}
final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(requestBody);        return new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() {
ad();
}
};
}
/**
* 特殊字符过滤
*
* @param value
replaceall()* @return
*/
private  static String filterBadString(String value) {
String REP_TIPS = "BadParamter";
value = placeAll("select", REP_TIPS);
value = placeAll("SELECT", REP_TIPS);
value = placeAll("insert", REP_TIPS);
value = placeAll("INSERT", REP_TIPS);
value = placeAll("delete", REP_TIPS);
value = placeAll("DELETE", REP_TIPS);
value = placeAll("update", REP_TIPS);
value = placeAll("UPDATE", REP_TIPS);
value = placeAll("script", REP_TIPS);
value = placeAll(">", REP_TIPS);
value = placeAll("<", REP_TIPS);
value = placeAll("=", REP_TIPS);
value = placeAll("@", REP_TIPS);
return value;
}
}
启动类需添加Servlet扫描:@ServletComponentScan("fig.XssFilter")
所需要的依赖:
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.10.2</version>
</dependency>
<dependency>
<groupId>org.apachemons</groupId>            <artifactId>commons-lang3</artifactId>
</dependency>
<!-- jfinal 核⼼包 -->
<dependency>
<groupId>com.jfinal</groupId>
<artifactId>jfinal</artifactId>
<version>2.2</version>
</dependency>
<dependency>
<groupId>com.jfinal</groupId>
<artifactId>cos</artifactId>
<version>26Dec2008</version>
</dependency>

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。