以下方式的pom依赖都基于hutool
<dependency><groupId>cn.hutool</groupId><artifactId>hutool-all</artifactId><version>5.3.7</version></dependency>
——SpringBoot
注解方式
过滤器package com.xlj.xssdemo.filter;import javax.servlet.*;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import java.io.IOException;@WebFilter(urlPatterns = "/*")public class XssFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {//使用包装器XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest);filterChain.doFilter(xssFilterWrapper, servletResponse);}@Overridepublic void destroy() {}}
包装器(真正过滤逻辑)
package com.xlj.xssdemo.filter;import cn.hutool.core.util.EscapeUtil;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;public class XssFilterWrapper extends HttpServletRequestWrapper {public XssFilterWrapper(HttpServletRequest request) {super(request);}@Overridepublic String getHeader(String name) {return EscapeUtil.escape(super.getHeader(name));}@Overridepublic String getQueryString() {return EscapeUtil.escape(super.getQueryString());}@Overridepublic String getParameter(String name) {return EscapeUtil.escape(super.getParameter(name));}@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);if(values != null) {int length = values.length;String[] escapseValues = new String[length];for(int i = 0; i < length; i++){escapseValues[i] = EscapeUtil.escape(values[i]);}return escapseValues;}return super.getParameterValues(name);}}
启动类添加注解
package com.xlj.xssdemo;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.SpringBootApplication;import org.springframework.boot.web.servlet.ServletComponentScan;@SpringBootApplication@ServletComponentScan(basePackages = "com.xlj.xssdemo.filter")public class XssdemoApplication {public static void main(String[] args) {SpringApplication.run(XssdemoApplication.class, args);}}
配置类方式
application.properties 开启xss配置# XSS配置xss.enabled=true# 不过滤路径, 以逗号分割xss.excludes=/open/*# 过滤路径, 逗号分割xss.urlPatterns=/*
过滤器配置
import cn.hutool.core.util.StrUtil;import org.springframework.beans.factory.annotation.Value;import org.springframework.boot.web.servlet.FilterRegistrationBean;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import javax.servlet.DispatcherType;import java.util.HashMap;import java.util.Map;@Configurationpublic class XssFilterConfig {@Value("${xss.enabled}")private String enabled;@Value("${xss.excludes}")private String excludes;@Value("${xss.urlPatterns}")private String urlPatterns;@SuppressWarnings({"rawtypes", "unchecked"})@Beanpublic FilterRegistrationBean xssFilterRegistration() {FilterRegistrationBean registration = new FilterRegistrationBean();registration.setDispatcherTypes(DispatcherType.REQUEST);registration.setFilter(new XssFilter());//添加过滤路径registration.addUrlPatterns(StrUtil.split(urlPatterns, ","));registration.setName("xssFilter");registration.setOrder(Integer.MAX_VALUE);//设置初始化参数Map<String, String> initParameters = new HashMap<>();initParameters.put("excludes", excludes);initParameters.put("enabled", enabled);registration.setInitParameters(initParameters);return registration;}}
防止XSS攻击的过滤器
package com.xlj.xssdemo.filter;import javax.servlet.*;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import java.io.IOException;public class XssFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {//使用包装器XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest);filterChain.doFilter(xssFilterWrapper, servletResponse);}@Overridepublic void destroy() {}}
XSS过滤处理
package com.xlj.xssdemo.filter;import cn.hutool.core.util.EscapeUtil;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;public class XssFilterWrapper extends HttpServletRequestWrapper {public XssFilterWrapper(HttpServletRequest request) {super(request);}@Overridepublic String getHeader(String name) {return EscapeUtil.escape(super.getHeader(name));}@Overridepublic String getQueryString() {return EscapeUtil.escape(super.getQueryString());}@Overridepublic String getParameter(String name) {return EscapeUtil.escape(super.getParameter(name));}@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);if(values != null) {int length = values.length;String[] escapseValues = new String[length];for(int i = 0; i < length; i++){escapseValues[i] = EscapeUtil.escape(values[i]);}return escapseValues;}return super.getParameterValues(name);}}
——Spring
添加的 pom 依赖<dependency><groupId>cn.hutool</groupId><artifactId>hutool-all</artifactId><version>5.3.7</version></dependency>
web.xml开启过滤配置
<!-- 解决xss漏洞 --><filter><filter-name>xssFilter</filter-name><filter-class>XXX.XssFilter</filter-class></filter><!-- 解决xss漏洞 --><filter-mapping><filter-name>xssFilter</filter-name><url-pattern>*</url-pattern></filter-mapping>
防止XSS攻击的过滤器
package com.ctrip.hotel.octopus.pdp.web.filter;import javax.servlet.*;import javax.servlet.http.HttpServletRequest;import java.io.IOException;public class XssFilter implements Filter {@Overridepublic void init(FilterConfig filterConfig) {}@Overridepublic void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {//使用包装器XssFilterWrapper xssFilterWrapper = new XssFilterWrapper((HttpServletRequest) servletRequest);filterChain.doFilter(xssFilterWrapper, servletResponse);}@Overridepublic void destroy() {}}
XSS过滤处理
package com.ctrip.hotel.octopus.pdp.web.filter;import com.ctrip.vul.VulDef;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;public class XssFilterWrapper extends HttpServletRequestWrapper {public XssFilterWrapper(HttpServletRequest request) {super(request);}@Overridepublic String getHeader(String name) {return EscapeUtil.escape(super.getHeader(name));}@Overridepublic String getQueryString() {return EscapeUtil.escape(super.getQueryString());}@Overridepublic String getParameter(String name) {return EscapeUtil.escape(super.getParameter(name));}@Overridepublic String[] getParameterValues(String name) {String[] values = super.getParameterValues(name);if(values != null) {int length = values.length;String[] escapseValues = new String[length];for(int i = 0; i < length; i++){escapseValues[i] = EscapeUtil.escape(values[i]);}return escapseValues;}return super.getParameterValues(name);}}
