springboot xss 注入问题

思路

使用全局过滤的方式来预防xss注入问题
当然thymeleaf 模板也可以用来预防xss注入
这里采用Jsoup 来防止xss注入

步骤

一 导入jar包

<dependency>
    <groupId>org.jsoup</groupId>
    <artifactId>jsoup</artifactId>
    <version>1.11.3</version>
</dependency>

相关代码 一共两个文件

过滤器代码

package com.***.config.xss;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * xss 过滤器
 *
 * @author imsjw
 * Create Time: 2018/8/10
 */
@WebFilter
public class XssFilter implements Filter {

    /**
     * 白名单
     */
    public List<String> whiteList = new ArrayList<>();

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        /**
         * 示例
         */
        whiteList.add("/user/mgr");
        whiteList.add("白名单路径");
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        if (isWhiteList(req, resp)) {
            chain.doFilter(request, response);
            return;
        }
        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
        chain.doFilter(xssRequest, response);
    }

    private boolean isWhiteList(HttpServletRequest request, HttpServletResponse response) {
        for (int i = 0; i < whiteList.size(); i++) {
            String servletPath = request.getServletPath();
            if (whiteList.get(i).equals(servletPath)) {
                return true;
            }
        }
        return false;
    }

    @Override
    public void destroy() {

    }

}

过滤代码

package com.***.config.xss;

import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * XSS过滤处理
 *
 * @author ruoyi
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    /**
     * @param request
     */
    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] values = super.getParameterValues(name);
        if (values != null) {
            int length = values.length;
            String[] escapseValues = new String[length];
            for (int i = 0; i < length; i++) {
                // 防xss攻击和过滤前后空格
                escapseValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim();
            }
            return escapseValues;
        }
        return super.getParameterValues(name);
    }
}