SpringBoot防XSS攻击

Filter代码：

import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.util.StrUtil;

/**
 * <p>
 * 功能：通过Filter过滤器来防止跨站点脚本编制攻击
 * </P>
 */
public class XSSFilter implements Filter {
	private FilterConfig filterConfig = null;

	public void destroy() {
		this.filterConfig = null;
	}

	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
			throws IOException, ServletException {
		System.out.println("==进入xss过滤器===");
		String xssPatterns = filterConfig.getInitParameter("xss-patterns");
		 System.out.println("==xssPatterns==="+xssPatterns);

		xssPatterns = StrUtil.formatNull(xssPatterns);
		HttpServletRequest req = (HttpServletRequest) request;
		HttpServletResponse resp = (HttpServletResponse) response;
		String queryString = StrUtil.formatNull(req.getQueryString());
		queryString = java.net.URLDecoder.decode(queryString);
		// System.out.println("检测到参数==== "+queryString);
		if (xssPatterns.trim().length() > 0) {
			String[] patterns = xssPatterns.split(";");
			for (int i = 0; i < patterns.length; i++) {
				// System.out.println("==patterns[i]==== "+patterns[i]);
				Pattern p = Pattern.compile("(?i)" + patterns[i]);
				Matcher m = p.matcher(queryString);
				if (m.find()) {
					System.out.println("检测到您发送请求中的参数中含有跨站脚本编制非法字符:" + HttpServletResponse.SC_BAD_REQUEST);
					resp.sendError(HttpServletResponse.SC_BAD_REQUEST);
					return;
				}
			}
		}
		System.out.println("=================");
		chain.doFilter(request, response);
	}

	public void init(FilterConfig filterConfig) throws ServletException {
		this.filterConfig = filterConfig;
	}
}

config配置

import java.util.Map;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.google.common.collect.Maps;
import com.XSSFilter;

@Configuration
public class FilterConfig {
	/**
	 * xss过滤拦截器
	 */
	@Bean
	public FilterRegistrationBean xssFilterRegistrationBean() {
		FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
		filterRegistrationBean.setFilter(new XSSFilter());
		filterRegistrationBean.setOrder(1);
		filterRegistrationBean.setEnabled(true);
		filterRegistrationBean.addUrlPatterns("/*");
		Map<String, String> initParameters = Maps.newHashMap();
		/*initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");
		initParameters.put("isIncludeRichText", "true");*/
		filterRegistrationBean.setInitParameters(initParameters);
		return filterRegistrationBean;
	}
}

工具类

public class StrUtil {
	/**
	 * 功能：格式化空字符串
	 * 
	 * @param str
	 * @return String
	 */
	public static String formatNull(Object str) {
		return null == str || "null".equals(str) ? "" : str.toString();
	}
}