1. 首页首页
  2. 科技前沿科技前沿

Java 防止XSS攻击(Spring boot & Spring 方式)

科技前沿 阅读 49

Java 防止XSS攻击(Spring boot & Spring 方式)以下方式的 pom 依赖都基于 hutool lt dependency gt lt groupId gt cn hutool groupId lt artifactId gt hutool all artifactId lt version gt 5 3 7 version

大家好,我是讯享网,很高兴认识大家。

以下方式的pom依赖都基于hutool


讯享网

 <dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.3.7</version> </dependency>

讯享网

——SpringBoot

注解方式

  1. 过滤器
讯享网package com.xlj.xssdemo.filter; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import java.io.IOException; @WebFilter(urlPatterns = "/*") public class XssFilter implements Filter { 
    @Override public void init(FilterConfig filterConfig) { 
    } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 
    //使用包装器 XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest); filterChain.doFilter(xssFilterWrapper, servletResponse); } @Override public void destroy() { 
    } }
  1. 包装器(真正过滤逻辑)
package com.xlj.xssdemo.filter; import cn.hutool.core.util.EscapeUtil; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssFilterWrapper extends HttpServletRequestWrapper { 
    public XssFilterWrapper(HttpServletRequest request) { 
    super(request); } @Override public String getHeader(String name) { 
    return EscapeUtil.escape(super.getHeader(name)); } @Override public String getQueryString() { 
    return EscapeUtil.escape(super.getQueryString()); } @Override public String getParameter(String name) { 
    return EscapeUtil.escape(super.getParameter(name)); } @Override public String[] getParameterValues(String name) { 
    String[] values = super.getParameterValues(name); if(values != null) { 
    int length = values.length; String[] escapseValues = new String[length]; for(int i = 0; i < length; i++){ 
    escapseValues[i] = EscapeUtil.escape(values[i]); } return escapseValues; } return super.getParameterValues(name); } }
  1. 启动类添加注解
讯享网package com.xlj.xssdemo; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.web.servlet.ServletComponentScan; @SpringBootApplication @ServletComponentScan(basePackages = "com.xlj.xssdemo.filter") public class XssdemoApplication { 
    public static void main(String[] args) { 
    SpringApplication.run(XssdemoApplication.class, args); } }

配置类方式

  1. application.properties 开启xss配置
# XSS配置 xss.enabled=true # 不过滤路径, 以逗号分割 xss.excludes=/open/* # 过滤路径, 逗号分割 xss.urlPatterns=/*
  1. 过滤器配置
讯享网import cn.hutool.core.util.StrUtil; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import javax.servlet.DispatcherType; import java.util.HashMap; import java.util.Map; @Configuration public class XssFilterConfig { 
    @Value("${xss.enabled}") private String enabled; @Value("${xss.excludes}") private String excludes; @Value("${xss.urlPatterns}") private String urlPatterns; @SuppressWarnings({ 
   "rawtypes", "unchecked"}) @Bean public FilterRegistrationBean xssFilterRegistration() { 
    FilterRegistrationBean registration = new FilterRegistrationBean(); registration.setDispatcherTypes(DispatcherType.REQUEST); registration.setFilter(new XssFilter()); //添加过滤路径 registration.addUrlPatterns(StrUtil.split(urlPatterns, ",")); registration.setName("xssFilter"); registration.setOrder(Integer.MAX_VALUE); //设置初始化参数 Map<String, String> initParameters = new HashMap<>(); initParameters.put("excludes", excludes); initParameters.put("enabled", enabled); registration.setInitParameters(initParameters); return registration; } }
  1. 防止XSS攻击的过滤器
package com.xlj.xssdemo.filter; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import java.io.IOException; public class XssFilter implements Filter { 
    @Override public void init(FilterConfig filterConfig) { 
    } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 
    //使用包装器 XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest); filterChain.doFilter(xssFilterWrapper, servletResponse); } @Override public void destroy() { 
    } }
  1. XSS过滤处理
讯享网package com.xlj.xssdemo.filter; import cn.hutool.core.util.EscapeUtil; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssFilterWrapper extends HttpServletRequestWrapper { 
    public XssFilterWrapper(HttpServletRequest request) { 
    super(request); } @Override public String getHeader(String name) { 
    return EscapeUtil.escape(super.getHeader(name)); } @Override public String getQueryString() { 
    return EscapeUtil.escape(super.getQueryString()); } @Override public String getParameter(String name) { 
    return EscapeUtil.escape(super.getParameter(name)); } @Override public String[] getParameterValues(String name) { 
    String[] values = super.getParameterValues(name); if(values != null) { 
    int length = values.length; String[] escapseValues = new String[length]; for(int i = 0; i < length; i++){ 
    escapseValues[i] = EscapeUtil.escape(values[i]); } return escapseValues; } return super.getParameterValues(name); } }

——Spring

  1. 添加的 pom 依赖
 <dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.3.7</version> </dependency>
  1. web.xml开启过滤配置
讯享网 <!-- 解决xss漏洞 --> <filter> <filter-name>xssFilter</filter-name> <filter-class>XXX.XssFilter</filter-class> </filter> <!-- 解决xss漏洞 --> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>*</url-pattern> </filter-mapping>
  1. 防止XSS攻击的过滤器
package com.ctrip.hotel.octopus.pdp.web.filter; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import java.io.IOException; public class XssFilter implements Filter { 
    @Override public void init(FilterConfig filterConfig) { 
    } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 
    //使用包装器 XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest); filterChain.doFilter(xssFilterWrapper, servletResponse); } @Override public void destroy() { 
    } }
  1. XSS过滤处理
讯享网package com.ctrip.hotel.octopus.pdp.web.filter; import com.ctrip.vul.VulDef; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class XssFilterWrapper extends HttpServletRequestWrapper { 
    public XssFilterWrapper(HttpServletRequest request) { 
    super(request); } @Override public String getHeader(String name) { 
    return EscapeUtil.escape(super.getHeader(name)); } @Override public String getQueryString() { 
    return EscapeUtil.escape(super.getQueryString()); } @Override public String getParameter(String name) { 
    return EscapeUtil.escape(super.getParameter(name)); } @Override public String[] getParameterValues(String name) { 
    String[] values = super.getParameterValues(name); if(values != null) { 
    int length = values.length; String[] escapseValues = new String[length]; for(int i = 0; i < length; i++){ 
    escapseValues[i] = EscapeUtil.escape(values[i]); } return escapseValues; } return super.getParameterValues(name); } }
小讯
上一篇 2025-01-17 20:47
下一篇 2025-01-05 18:37

相关推荐

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容,请联系我们,一经查实,本站将立刻删除。
如需转载请保留出处:https://51itzy.com/kjqy/45914.html