思路
使用全局过滤的方式来预防xss注入问题
当然thymeleaf 模板也可以用来预防xss注入
这里采用Jsoup 来防止xss注入
步骤
一 导入jar包
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.11.3</version>
</dependency>
相关代码 一共两个文件
过滤器代码
package com.***.config.xss;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* xss 过滤器
*
* @author imsjw
* Create Time: 2018/8/10
*/
@WebFilter
public class XssFilter implements Filter {
/**
* 白名单
*/
public List<String> whiteList = new ArrayList<>();
@Override
public void init(FilterConfig filterConfig) throws ServletException {
/**
* 示例
*/
whiteList.add("/user/mgr");
whiteList.add("白名单路径");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
if (isWhiteList(req, resp)) {
chain.doFilter(request, response);
return;
}
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
chain.doFilter(xssRequest, response);
}
private boolean isWhiteList(HttpServletRequest request, HttpServletResponse response) {
for (int i = 0; i < whiteList.size(); i++) {
String servletPath = request.getServletPath();
if (whiteList.get(i).equals(servletPath)) {
return true;
}
}
return false;
}
@Override
public void destroy() {
}
}
过滤代码
package com.***.config.xss;
import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* XSS过滤处理
*
* @author ruoyi
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* @param request
*/
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values != null) {
int length = values.length;
String[] escapseValues = new String[length];
for (int i = 0; i < length; i++) {
// 防xss攻击和过滤前后空格
escapseValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim();
}
return escapseValues;
}
return super.getParameterValues(name);
}
}