springboot预防攻击 “＞＜img src=1 οnerrοr=alert(1)＞

当不预防攻击 "><img src=1 οnerrοr=alert(1)>时候,会出现下面情况。

当加入预防攻击代码,会出现下面情况。显示正常。

代码如下：

/**
 * @ClassName MyXssFilter
 * @Description TODO
 * @Date 2021/3/22 13:18
 * @Version 1.0
 */
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 *  * 使用注解标注过滤器
 * @WebFilter将一个实现了javax.servlet.Filter接口的类定义为过滤器
 * 属性filterName声明过滤器的名称,可选
 * 属性urlPatterns指定要过滤 的URL模式,也可使用属性value来声明.(指定要过滤的URL模式是必选属性)
 */
@WebFilter(filterName="myXssFilter", urlPatterns="/*")
public class MyXssFilter implements Filter {
    
    

    FilterConfig filterConfig = null;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    
    
        System.out.println("过滤器初始化");
        this.filterConfig = filterConfig;
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    
    
        System.out.println("执行过滤操作");

        filterChain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest)servletRequest), servletResponse);
    }

    @Override
    public void destroy() {
    
    
        System.out.println("过滤器销毁");
        this.filterConfig = null;
    }

}

/**
 * @ClassName XssHttpServletRequestWrapper
 * @Description TODO
 * @Date 2021/3/22 13:17
 * @Version 1.0
 */
import org.apache.commons.text.StringEscapeUtils;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.Charset;

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    
    

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
    
    
        super(request);
    }

    @Override
    public String[] getParameterValues(String parameter) {
    
    
        String[] values = super.getParameterValues(parameter);
        if (values==null)  {
    
    
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
    
    
            encodedValues[i] = cleanXSS(values[i]);
        }
        return encodedValues;
    }

    @Override
    public String getParameter(String parameter) {
    
    
        String value = super.getParameter(parameter);
        if (value != null) {
    
    
            return cleanXSS(value);
        }
        return null;
    }

    @Override
    public String getHeader(String name) {
    
    
        String value = super.getHeader(name);
        if (value == null)
            return null;
        return cleanXSS(value);
    }

    private static String cleanXSS(String value) {
    
    

//        value = StringEscapeUtils.escapeHtml4(value);
        value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
        value = value.replaceAll("%3C", "&lt;").replaceAll("%3E", "&gt;");
        value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");
        value = value.replaceAll("%28", "&#40;").replaceAll("%29", "&#41;");
        value = value.replaceAll("'", "&#39;");
        value = value.replaceAll("eval\\((.*)\\)", "");
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
        value = value.replaceAll("script", "");
        return value;
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {
    
    
        final ByteArrayInputStream bais = new ByteArrayInputStream(inputHandlers(super.getInputStream ()).getBytes ());

        return new ServletInputStream() {
    
    

            @Override
            public int read() throws IOException {
    
    
                return bais.read();
            }

            @Override
            public boolean isFinished() {
    
    
                return false;
            }

            @Override
            public boolean isReady() {
    
    
                return false;
            }

            @Override
            public void setReadListener(ReadListener readListener) {
    
     }
        };
    }

    public   String inputHandlers(ServletInputStream servletInputStream){
    
    
        StringBuilder sb = new StringBuilder();
        BufferedReader reader = null;
        try {
    
    
            reader = new BufferedReader(new InputStreamReader(servletInputStream, Charset.forName("UTF-8")));
            String line = "";
            while ((line = reader.readLine()) != null) {
    
    
                sb.append(line);
            }
        } catch (IOException e) {
    
    
            e.printStackTrace();
        } finally {
    
    
            if (servletInputStream != null) {
    
    
                try {
    
    
                    servletInputStream.close();
                } catch (IOException e) {
    
    
                    e.printStackTrace();
                }
            }
            if (reader != null) {
    
    
                try {
    
    
                    reader.close();
                } catch (IOException e) {
    
    
                    e.printStackTrace();
                }
            }
        }
        return  cleanXSS(sb.toString ());
    }

}

在启动类添加@ServletComponentScan()

@SpringBootApplication
@ServletComponentScan()
public class NewApplication {
    
    
    public static void main(String[] args) {
    
    
        SpringApplication.run(NewApplication.class, args);
    }
}