As server developers, we cannot trust anything the user enters. For example: the amount cannot be passed from the front end, the use of tokens that will become invalid, etc. Of course, in addition to passing some fake data, users will also pass in some fake scripts. The more famous one is the xss attack.
There are many ways to solve xss attacks on the Internet, and many of them are related to the front-end. In fact, the last defense in the back-end is the most important.
In this project, a filter is used XssFilter
public class XssFilter implements Filter {
Logger logger = LoggerFactory.getLogger(getClass().getName());
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException{
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
logger.info("uri:{}",req.getRequestURI());
// xss 过滤
chain.doFilter(new XssWrapper(req), resp);
}
}
Mainly through new XssWrapper(req)a series of filtering the object, XssWrapperby Jsoupfiltration series of user input. After all, professional matters have to be handled by professional people. At this point, we have completed the defense against xss attacks through simple settings .
public class XssWrapper extends HttpServletRequestWrapper {
/**
* Constructs a request object wrapping the given request.
*
* @param request The request to wrap
* @throws IllegalArgumentException if the request is null
*/
public XssWrapper(HttpServletRequest request) {
super(request);
}
/**
* 对数组参数进行特殊字符过滤
*/
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
/**
* 对参数中特殊字符进行过滤
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (StrUtil.isBlank(value)) {
return value;
}
return cleanXSS(value);
}
/**
* 获取attribute,特殊字符过滤
*/
@Override
public Object getAttribute(String name) {
Object value = super.getAttribute(name);
if (value instanceof String && StrUtil.isNotBlank((String) value)) {
return cleanXSS((String) value);
}
return value;
}
/**
* 对请求头部进行特殊字符过滤
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (StrUtil.isBlank(value)) {
return value;
}
return cleanXSS(value);
}
private String cleanXSS(String value) {
return XssUtil.clean(value);
}
}
There is the most important method XssUtil.clean(value)-> Jsoup.clean(content, "", WHITE_LIST, OUTPUT_SETTINGS)This surface is always best to have a white list WHITE_LISTfrom, we carefully observe the whitelist will find that there is a part of the portion of the tag into the html carrying to prevent xss attacks
new Whitelist().addTags(
"a", "b", "blockquote", "br", "caption", "cite", "code", "col",
"colgroup", "dd", "div", "dl", "dt", "em", "h1", "h2", "h3", "h4", "h5", "h6",
"i", "img", "li", "ol", "p", "pre", "q", "small", "span", "strike", "strong",
"sub", "sup", "table", "tbody", "td", "tfoot", "th", "thead", "tr", "u",
"ul")
.addAttributes("a", "href", "title")
.addAttributes("blockquote", "cite")
.addAttributes("col", "span", "width")
.addAttributes("colgroup", "span", "width")
.addAttributes("img", "align", "alt", "height", "src", "title", "width")
.addAttributes("ol", "start", "type")
.addAttributes("q", "cite")
.addAttributes("table", "summary", "width")
.addAttributes("td", "abbr", "axis", "colspan", "rowspan", "width")
.addAttributes(
"th", "abbr", "axis", "colspan", "rowspan", "scope",
"width")
.addAttributes("ul", "type")
.addProtocols("a", "href", "ftp", "http", "https", "mailto")
.addProtocols("blockquote", "cite", "http", "https")
.addProtocols("cite", "cite", "http", "https")
.addProtocols("img", "src", "http", "https")
.addProtocols("q", "cite", "http", "https")