springbootxss防御配置
注意:
这个xss过滤器有⼀些问题,⽐如某些时候,使⽤jquery ajax post的时候,如果是传的默认的 "application/x-www-form-urlencoded",会出现Controller中的bean接收的值为null的情况,
当我调整ajax设置 contentType:"application/json",dataType:"json" 发送⼀个带post json数据时,xss报错,于是删除整个xss包,不再使⽤这四个类,jquery ajax post⼀切正常,可以以默认⽅式提交。(之前只能⽤axios去拼接参数到url⾥来实现post(将拼接的参数存⼊⼀个变量))
总共4个类,放在config.safe.xss包下了:
package fig.safe.xss;
import javax.servlet.ServletRequest;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
public class HttpGetBody {
/**
* 获取请求Body
*
* @param request
* @return
*/
public static String getBodyString(ServletRequest request) {
/
/StringBuilder sb = new StringBuilder();
StringBuffer sb = new StringBuffer();
InputStream inputStream = null;
BufferedReader reader = null;
try {
inputStream = InputStream();
reader = new BufferedReader(new InputStreamReader(inputStream, Charset.forName("UTF-8")));
String line = "";
while ((line = adLine()) != null) {
sb.append(line);
}
} catch (IOException e) {
e.printStackTrace();
} finally {
if (inputStream != null) {
try {
inputStream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if (reader != null) {
try {
reader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
String();
}
}
package fig.safe.xss;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class XssFilter implements Filter {
@Override
public void init(FilterConfig config) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapp
er((HttpServletRequest) request); chain.doFilter(xssHttpServletRequestWrapper, response);
}
@Override
public void destroy() {
}
}
package fig.safe.xss;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import t.annotation.Bean;
import t.annotation.Configuration;
import javax.servlet.Filter;
@Configuration
public class XSSFilterConfig {
@Bean
public FilterRegistrationBean filterRegistrationBean() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(xssFilter());
registration.addUrlPatterns("/*");
registration.addInitParameter("paramName", "paramValue");
registration.setName("xssFilter");
return registration;
}
/
**
* 创建⼀个bean
*
* @return
*/
@Bean(name = "xssFilter")
public Filter xssFilter() {
return new XssFilter();
}
}
package fig.safe.xss;
import org.apachemons.lang.StringUtils;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null;
private String body;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
body = BodyString(request);
}
/**
* 覆盖getParameter⽅法,将参数名和参数值都做xss过滤。<br/>
* 如果需要获得原始的值,则通过ParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */
@Override
public String getParameter(String name) {
String value = Parameter(xssEncode(name, 0));
if (null != value) {
value = xssEncode(value, 0);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] values = ParameterValues(xssEncode(name, 0));
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = xssEncode(values[i], 0);
}
return encodedValues;
}
@Override
public Map getParameterMap() {
HashMap paramMap = (HashMap) ParameterMap();
paramMap = (HashMap) paramMap.clone();
for (Iterator iterator = Set().iterator(); iterator.hasNext(); ) { Map.Entry entry = (Map.Entry) ();
String[] values = (String[]) Value();
for (int i = 0; i < values.length; i++) {
if (values[i] instanceof String) {
values[i] = xssEncode(values[i], 0);
}
}
entry.setValue(values);
}
return paramMap;
}
@Override
public ServletInputStream getInputStream() throws IOException {
ServletInputStream inputStream = null;
if (StringUtils.isNotEmpty(body)) {
body = xssEncode(body, 1);
InputStream is = new Bytes("UTF-8")); inputStream = (ServletInputStream) is;
}
return inputStream;
}
/**
* 覆盖getHeader⽅法,将参数名和参数值都做xss过滤。<br/>
* 如果需要获得原始的值,则通过Headers(name)来获取<br/>
* getHeaderNames 也可能需要覆盖
*/
@Override
public String getHeader(String name) {
String value = Header(xssEncode(name, 0));
if (value != null) {
value = xssEncode(value, 0);
}
return value;
}
/**
* 将容易引起xss漏洞的半⾓字符直接替换成全⾓字符
*
* @param s
* @return
*/
private static String xssEncode(String s, int type) {
if (s == null || s.isEmpty()) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
springboot和过滤器if (type == 0) {
switch (c) {
case '\'':
// 全⾓单引号
sb.append('‘');
break;
case '\"':
// 全⾓双引号
sb.append('“');
break;
case '>':
// 全⾓⼤于号
sb.append('>');
break;
case '<':
// 全⾓⼩于号
sb.append('<');
break;
case '&':
/
/ 全⾓&符号
sb.append('&');
break;
case '\\':
// 全⾓斜线
sb.append('\');
break;
case '#':
// 全⾓井号
sb.append('#');
break;
/
/ < 字符的 URL 编码形式表⽰的 ASCII 字符(⼗六进制格式)是: %3c
case '%':
processUrlEncoder(sb, s, i);
break;
default:
发表评论