1 . pom中增加依赖
<!-- xss过滤组件 --> <dependency> <groupId>org.jsoup</groupId> <artifactId>jsoup</artifactId> <version>1.9.2</version> </dependency>
2 . 增加标签处理类
package com.xbz.utils; import org.apache.commons.lang3.StringUtils; import org.jsoup.Jsoup; import org.jsoup.nodes.Document; import org.jsoup.safety.Whitelist; import java.io.IOException; /** * xss非法标签过滤工具类 * 过滤html中的xss字符 * @author xbz */ public class JsoupUtil { /** * 使用自带的basicWithImages 白名单 * 允许的便签有a,b,blockquote,br,cite,code,dd,dl,dt,em,i,li,ol,p,pre,q,small,span, * strike,strong,sub,sup,u,ul,img * 以及a标签的href,img标签的src,align,alt,height,width,title属性 */ private static final Whitelist whitelist = Whitelist.basicWithImages(); /** 配置过滤化参数,不对代码进行格式化 */ private static final Document.OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false); static { // 富文本编辑时一些样式是使用style来进行实现的 // 比如红色字体 style="color:red;" // 所以需要给所有标签添加style属性 whitelist.addAttributes(":all", "style"); } public static String clean(String content) { if(StringUtils.isNotBlank(content)){ content = content.trim(); } return Jsoup.clean(content, "", whitelist, outputSettings); } public static void main(String[] args) throws IOException { String text = " <a href="http://www.baidu.com/a" onclick="alert(1);">sss</a><script>alert(0);</script>sss "; System.out.println(clean(text)); } }
3 . 重写请求参数处理函数
package com.xbz.web.common.filter; import com.xbz.utils.JsoupUtil; import org.apache.commons.lang3.StringUtils; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * <code>{@link XssHttpServletRequestWrapper}</code> * @author */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; private boolean isIncludeRichText = false; public XssHttpServletRequestWrapper(HttpServletRequest request, boolean isIncludeRichText) { super(request); orgRequest = request; this.isIncludeRichText = isIncludeRichText; } /** * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */ @Override public String getParameter(String name) { Boolean flag = ("content".equals(name) || name.endsWith("WithHtml")); if( flag && !isIncludeRichText){ return super.getParameter(name); } name = JsoupUtil.clean(name); String value = super.getParameter(name); if (StringUtils.isNotBlank(value)) { value = JsoupUtil.clean(value); } return value; } @Override public String[] getParameterValues(String name) { String[] arr = super.getParameterValues(name); if(arr != null){ for (int i=0;i<arr.length;i++) { arr[i] = JsoupUtil.clean(arr[i]); } } return arr; } /** * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/> * getHeaderNames 也可能需要覆盖 */ @Override public String getHeader(String name) { name = JsoupUtil.clean(name); String value = super.getHeader(name); if (StringUtils.isNotBlank(value)) { value = JsoupUtil.clean(value); } return value; } /** * 获取最原始的request * * @return */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request的静态方法 * * @return */ public static HttpServletRequest getOrgRequest(HttpServletRequest req) { if (req instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) req).getOrgRequest(); } return req; } }
4 . 编写XSSFilter
package com.xbz.web.common.filter; import org.apache.commons.lang3.BooleanUtils; import org.apache.commons.lang3.StringUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; /** * 拦截防止xss注入 * 通过Jsoup过滤请求参数内的特定字符 * @author yangwk */ public class XssFilter implements Filter { private static final Logger logger = LogManager.getLogger(); /** * 是否过滤富文本内容 */ private static boolean IS_INCLUDE_RICH_TEXT = false; public List<String> excludes = new ArrayList<>(); @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException { if(logger.isDebugEnabled()){ logger.debug("xss filter is open"); } HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; if(handleExcludeURL(req, resp)){ filterChain.doFilter(request, response); return; } XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request,IS_INCLUDE_RICH_TEXT); filterChain.doFilter(xssRequest, response); } private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) { if (excludes == null || excludes.isEmpty()) { return false; } String url = request.getServletPath(); for (String pattern : excludes) { Pattern p = Pattern.compile("^" + pattern); Matcher m = p.matcher(url); if (m.find()) { return true; } } return false; } @Override public void init(FilterConfig filterConfig) throws ServletException { if(logger.isDebugEnabled()){ logger.debug("xss filter init ===================="); } String isIncludeRichText = filterConfig.getInitParameter("isIncludeRichText"); if(StringUtils.isNotBlank(isIncludeRichText)){ IS_INCLUDE_RICH_TEXT = BooleanUtils.toBoolean(isIncludeRichText); } String temp = filterConfig.getInitParameter("excludes"); if (temp != null) { String[] url = temp.split(","); for (int i = 0; url != null && i < url.length; i++) { excludes.add(url[i]); } } } @Override public void destroy() {} }
5 . 增加XSS配置
package com.xbz.web.common.config; import com.xbz.web.common.filter.XssFilter; import com.google.common.collect.Maps; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import java.util.Map; @Configuration public class XssConfig{ /** * xss过滤拦截器 */ @Bean public FilterRegistrationBean xssFilterRegistrationBean() { FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(); filterRegistrationBean.setFilter(new XssFilter()); filterRegistrationBean.setOrder(1); filterRegistrationBean.setEnabled(true); filterRegistrationBean.addUrlPatterns("/*"); Map<String, String> initParameters = Maps.newHashMap(); initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*"); initParameters.put("isIncludeRichText", "true"); filterRegistrationBean.setInitParameters(initParameters); return filterRegistrationBean; } }
大功告成, 另外SpringMVC版本的XSS防范请参考另一篇文章SpringMVC防止XSS攻击
转自https://blog.csdn.net/xingbaozhen1210/article/details/78860079