SpringBoot防XSS攻击

1 . pom中增加依赖

<!-- xss过滤组件 -->
<dependency><groupId>org.jsoup</groupId><artifactId>jsoup</artifactId><version>1.9.2</version>
</dependency>

2 . 增加标签处理类

package com.xbz.utils;import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Whitelist;import java.io.IOException;/*** xss非法标签过滤工具类* 过滤html中的xss字符* @author xbz*/
public class JsoupUtil {/*** 使用自带的basicWithImages 白名单* 允许的便签有a,b,blockquote,br,cite,code,dd,dl,dt,em,i,li,ol,p,pre,q,small,span,* strike,strong,sub,sup,u,ul,img* 以及a标签的href,img标签的src,align,alt,height,width,title属性*/private static final Whitelist whitelist = Whitelist.basicWithImages();/** 配置过滤化参数,不对代码进行格式化 */private static final Document.OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);static {// 富文本编辑时一些样式是使用style来进行实现的// 比如红色字体 style="color:red;"// 所以需要给所有标签添加style属性whitelist.addAttributes(":all", "style");}public static String clean(String content) {if(StringUtils.isNotBlank(content)){content = content.trim();}return Jsoup.clean(content, "", whitelist, outputSettings);}public static void main(String[] args) throws IOException {String text = "   <a href=\"http://www.baidu.com/a\" οnclick=\"alert(1);\">sss</a><script>alert(0);</script>sss   ";System.out.println(clean(text));}
}

3 . 重写请求参数处理函数

package com.xbz.web.common.filter;import com.xbz.utils.JsoupUtil;
import org.apache.commons.lang3.StringUtils;import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;/** * <code>{@link XssHttpServletRequestWrapper}</code>* @author*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  HttpServletRequest orgRequest = null;  private boolean isIncludeRichText = false;public XssHttpServletRequestWrapper(HttpServletRequest request, boolean isIncludeRichText) {  super(request);  orgRequest = request;this.isIncludeRichText = isIncludeRichText;}  /** * 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/> * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 */  @Override  public String getParameter(String name) {Boolean flag = ("content".equals(name) || name.endsWith("WithHtml"));if( flag && !isIncludeRichText){return super.getParameter(name);}name = JsoupUtil.clean(name);String value = super.getParameter(name);  if (StringUtils.isNotBlank(value)) {value = JsoupUtil.clean(value);}return value;  }  @Overridepublic String[] getParameterValues(String name) {String[] arr = super.getParameterValues(name);if(arr != null){for (int i=0;i<arr.length;i++) {arr[i] = JsoupUtil.clean(arr[i]);}}return arr;}/** * 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/> * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/> * getHeaderNames 也可能需要覆盖 */  @Override  public String getHeader(String name) {  name = JsoupUtil.clean(name);String value = super.getHeader(name);  if (StringUtils.isNotBlank(value)) {  value = JsoupUtil.clean(value); }  return value;  }  /** * 获取最原始的request * * @return */  public HttpServletRequest getOrgRequest() {  return orgRequest;  }  /** * 获取最原始的request的静态方法 * * @return */  public static HttpServletRequest getOrgRequest(HttpServletRequest req) {  if (req instanceof XssHttpServletRequestWrapper) {  return ((XssHttpServletRequestWrapper) req).getOrgRequest();  }  return req;  }  }

4 . 编写XSSFilter

package com.xbz.web.common.filter;import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;/** * 拦截防止xss注入* 通过Jsoup过滤请求参数内的特定字符* @author yangwk */
public class XssFilter implements Filter {  private static final Logger logger = LogManager.getLogger();/*** 是否过滤富文本内容*/private static boolean IS_INCLUDE_RICH_TEXT = false;public List<String> excludes = new ArrayList<>();@Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException {if(logger.isDebugEnabled()){logger.debug("xss filter is open");}HttpServletRequest req = (HttpServletRequest) request;HttpServletResponse resp = (HttpServletResponse) response;if(handleExcludeURL(req, resp)){filterChain.doFilter(request, response);return;}XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request,IS_INCLUDE_RICH_TEXT);filterChain.doFilter(xssRequest, response);}private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) {if (excludes == null || excludes.isEmpty()) {return false;}String url = request.getServletPath();for (String pattern : excludes) {Pattern p = Pattern.compile("^" + pattern);Matcher m = p.matcher(url);if (m.find()) {return true;}}return false;}@Overridepublic void init(FilterConfig filterConfig) throws ServletException {if(logger.isDebugEnabled()){logger.debug("xss filter init ====================");}String isIncludeRichText = filterConfig.getInitParameter("isIncludeRichText");if(StringUtils.isNotBlank(isIncludeRichText)){IS_INCLUDE_RICH_TEXT = BooleanUtils.toBoolean(isIncludeRichText);}String temp = filterConfig.getInitParameter("excludes");if (temp != null) {String[] url = temp.split(",");for (int i = 0; url != null && i < url.length; i++) {excludes.add(url[i]);}}}@Overridepublic void destroy() {}  }

5 . 增加XSS配置

package com.xbz.web.common.config;import com.xbz.web.common.filter.XssFilter;
import com.google.common.collect.Maps;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;import java.util.Map;@Configuration
public class XssConfig{/*** xss过滤拦截器*/@Beanpublic FilterRegistrationBean xssFilterRegistrationBean() {FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();filterRegistrationBean.setFilter(new XssFilter());filterRegistrationBean.setOrder(1);filterRegistrationBean.setEnabled(true);filterRegistrationBean.addUrlPatterns("/*");Map<String, String> initParameters = Maps.newHashMap();initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");initParameters.put("isIncludeRichText", "true");filterRegistrationBean.setInitParameters(initParameters);return filterRegistrationBean;}
}

大功告成, 另外SpringMVC版本的XSS防范请参考另一篇文章SpringMVC防止XSS攻击

SpringBoot防XSS攻击相关推荐

AntiSamy：防 XSS 攻击的一种解决方案使用教程
AntiSamy:防 XSS 攻击的一种解决方案使用教程 1. XSS 介绍 2. AntiSamy 介绍 3. AntiSamy 使用 3.1 导入依赖 3.2 选择策略文件 3.3 SpringB ...
tp5防止sql注入mysql_TP5框架《防sql注入、防xss攻击》
版权声明:本文为博主原创文章,转载请注明原文出处! https://blog.csdn.net/qq_23375733/article/details/86606630 如题:tp5怎么防sql注入 ...
springboot防止XSS攻击和sql注入
文章目录 1. XSS跨站脚本攻击 ①:XSS漏洞介绍 ②:XSS漏洞分类 ③:防护建议 2. SQL注入攻击 ①:SQL注入漏洞介绍 ②:防护建议 3. SpringBoot中如何防止XSS攻击和s ...
springboot2.x使用Jsoup防 XSS 攻击
后端应用经常接收各种信息参数,例如评论,回复等文本内容.除了一些场景下面,可以特定接受的富文本标签和属性之外(如:b,ul,li,h1, h2, h3-),需要过滤掉危险的字符和标签,防止xss攻击. ...
SpringBoot 防止XSS攻击和SQL攻击拦截器(Filter)
什么是SQL攻击.什么是XSS攻击 SQL 攻击:把SQL命令插入到Web表单并提交,欺骗服务器执行恶意的SQL命令. XSS 攻击:向有XSS漏洞的网站中输入(传入)恶意的HTML代码,当其它用户浏 ...
post攻击 xxs_[BUGCASE]CI框架的post方法对url做了防xss攻击的处理引发的文件编码错误...
一.问题描述页面报错,没法下载二.问题分析 1.初步分析通过查看相关代码可以了解到文件下载的过程如下: 取到下载链接中的mid参数对mid先后进行url解码和base64解码将解码后的字符串 ...
SpringBoot2.0系列教程（十三）Springboot防止XSS攻击
Hello大家好,本章我们添加防止XSS攻击功能 .有问题可以加我VX:Mrchuchen. 一:什么是XSS XSS攻击全称跨站脚本攻击,是一种在web应用中的计算机安全漏洞,它允许恶意web用户将 ...
SpringBoot 抵御XSS攻击
抵御XSS攻击 1.XSS攻击的危害 2.抵御XSS的实现 1.导入Hutool的依赖库 2.定义请求包装类 3.测试 1.XSS攻击的危害 XSS攻击通常指的是通过利用网页开发时留下的漏洞,通过巧妙 ...
java防XSS攻击的关键词过滤实现
继承HttpServletRequestWrapper,实现对请求参数的过滤/*** xss请求适配器*/ public class XssHttpServletRequestWrapper exte ...

SpringBoot防XSS攻击

SpringBoot防XSS攻击相关推荐

最新文章

热门文章