Springboot增加一个xss过滤器,防止xss攻击
杜联
application.xml文件添加配置
# 防止XSS攻击
xss:
# 过滤开关
enabled: true
# 排除链接(多个用逗号分隔)
excludes: /system/notice
# 匹配链接
urlPatterns: /hospital/list
#/system/*,/monitor/*,/tool/*,/hospital/list
过滤器配置类
@Configuration
public class FilterConfig {
@Value("${xss.excludes}")
private String excludes;
@Value("${xss.urlPatterns}")
private String urlPatterns;
@Bean
@ConditionalOnProperty(value = "xss.enabled",havingValue = "true") //条件属性,获取值,里面有“true”怎生效
public FilterRegistrationBean xssFilterRegistration(){
FilterRegistrationBean registrationBean = new FilterRegistrationBean();
//设置dispatcher类型
registrationBean.setDispatcherTypes(DispatcherType.REQUEST);
//设置过滤器
registrationBean.setFilter(new XssFilter());
//增加匹配访问链接
registrationBean.addUrlPatterns(StringUtils.split(urlPatterns,","));
//设置过滤器名称
registrationBean.setName("xssFilter");
//设置过滤器优先级(xss过滤器为最高)
registrationBean.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);
//设置初始化参数
Map<String,String> initParameters = new HashMap<String,String>();
initParameters.put("excludes",excludes);
registrationBean.setInitParameters(initParameters);
return registrationBean;
}
}
过滤器实现类
public class XssFilter implements Filter {
private static final Logger logger = LoggerFactory.getLogger(XssFilter.class);
/*排除链接*/
public List<String> excludes = new ArrayList<>();
/*初始化filter*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
logger.info("Xss Filter init");
//拿到FilterConfig中初始参数
String tempExcludes = filterConfig.getInitParameter("excludes");
if (StringUtils.isNotEmpty(tempExcludes)){
String[]urls =tempExcludes.split(",");
for (int i =0; urls != null && i<urls.length;i++){
excludes.add(urls[i]);
}
}
}
/*执行过滤*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
logger.info("Xss Filter doFilter");
/*
* 判断是否有xss,没有直接放行;有的话处理一下。
* */
if (handleExcludeURL(req,resp)){
chain.doFilter(request,response);
return;
}
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest)request);
chain.doFilter(xssRequest,response);
}
/*销毁*/
@Override
public void destroy() {
logger.info("Xss Filter init");
}
/*是否包含排除链接*/
private boolean handleExcludeURL(HttpServletRequest request,HttpServletResponse response){
String url = request.getServletPath();
String method = request.getMethod();
if (method == null || method.matches("GET") || method.matches("DELETE")){
return true;
}
return StringUtils.matches(url,excludes);
}
}
请求体过滤
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request){super(request);}
@Override
public String[] getParameterValues(String name){
String [] values = super.getParameterValues(name);
if (values != null){
int length = values.length;
String [] escapseValues = new String[length];
for (int i = 0; i < length; i++){
//防止xss攻击和过滤前后空格
escapseValues[i] = EscapeUtil.clean(values[i].trim());
}
return escapseValues;
}
return super.getParameterValues(name);
}
}
工具类
public class EscapeUtil {
public static String clean(String content){
return new HTMLFilter().filter(content);
}
}
底层实现过滤功能的类:hutools
<!-- https://mvnrepository.com/artifact/cn.hutool/hutool-all -->
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.7.11</version>
</dependency>
类似资料: