SpringBoot防XSS攻击

1 . pom中增加依赖

<!-- xss过滤组件 --><dependency>  <groupId>org.jsoup</groupId>  <artifactId>jsoup</artifactId>  <version>1.9.2</version></dependency>

2 . 增加标签处理类

package com.xbz.utils;import org.apache.commons.lang3.StringUtils;import org.jsoup.Jsoup;import org.jsoup.nodes.Document;import org.jsoup.safety.Whitelist;import java.io.IOException;/** * xss非法标签过滤工具类 * 过滤html中的xss字符 * @author xbz */public class JsoupUtil {/** * 使用自带的basicWithImages 白名单 * 允许的便签有a,b,blockquote,br,cite,code,dd,dl,dt,em,i,li,ol,p,pre,q,small,span, * strike,strong,sub,sup,u,ul,img * 以及a标签的href,img标签的src,align,alt,height,width,title属性 */private static final Whitelist whitelist = Whitelist.basicWithImages();/** 配置过滤化参数,不对代码进行格式化 */private static final Document.OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);static {// 富文本编辑时一些样式是使用style来进行实现的// 比如红色字体 style="color:red;"// 所以需要给所有标签添加style属性whitelist.addAttributes(":all", "style");}public static String clean(String content) {    if(StringUtils.isNotBlank(content)){        content = content.trim();        }        return Jsoup.clean(content, "", whitelist, outputSettings);}public static void main(String[] args) throws IOException {String text = "   <a href=\"http://www.baidu.com/a\" onclick=\"alert(1);\">sss</a><script>alert(0);</script>sss   ";System.out.println(clean(text));}}

3 . 重写请求参数处理函数

package com.xbz.web.common.filter;import com.xbz.utils.JsoupUtil;import org.apache.commons.lang3.StringUtils;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;/**  * <code>{@link XssHttpServletRequestWrapper}</code> * @author */  public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {      HttpServletRequest orgRequest = null;      private boolean isIncludeRichText = false;      public XssHttpServletRequestWrapper(HttpServletRequest request, boolean isIncludeRichText) {          super(request);          orgRequest = request;        this.isIncludeRichText = isIncludeRichText;    }        /**     * 覆盖getParameter方法，将参数名和参数值都做xss过滤。<br/>     * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取<br/>     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖     */      @Override      public String getParameter(String name) {        Boolean flag = ("content".equals(name) || name.endsWith("WithHtml"));        if( flag && !isIncludeRichText){            return super.getParameter(name);        }        name = JsoupUtil.clean(name);        String value = super.getParameter(name);          if (StringUtils.isNotBlank(value)) {            value = JsoupUtil.clean(value);        }        return value;      }          @Override    public String[] getParameterValues(String name) {    String[] arr = super.getParameterValues(name);    if(arr != null){    for (int i=0;i<arr.length;i++) {    arr[i] = JsoupUtil.clean(arr[i]);    }    }    return arr;    }          /**     * 覆盖getHeader方法，将参数名和参数值都做xss过滤。<br/>     * 如果需要获得原始的值，则通过super.getHeaders(name)来获取<br/>     * getHeaderNames 也可能需要覆盖     */      @Override      public String getHeader(String name) {          name = JsoupUtil.clean(name);        String value = super.getHeader(name);          if (StringUtils.isNotBlank(value)) {              value = JsoupUtil.clean(value);         }          return value;      }        /**     * 获取最原始的request     *     * @return     */      public HttpServletRequest getOrgRequest() {          return orgRequest;      }        /**     * 获取最原始的request的静态方法     *     * @return     */      public static HttpServletRequest getOrgRequest(HttpServletRequest req) {          if (req instanceof XssHttpServletRequestWrapper) {              return ((XssHttpServletRequestWrapper) req).getOrgRequest();          }            return req;      }    }  

4 . 编写XSSFilter

package com.xbz.web.common.filter;import org.apache.commons.lang3.BooleanUtils;import org.apache.commons.lang3.StringUtils;import org.apache.logging.log4j.LogManager;import org.apache.logging.log4j.Logger;import javax.servlet.*;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;import java.util.ArrayList;import java.util.List;import java.util.regex.Matcher;import java.util.regex.Pattern;  /**  * 拦截防止xss注入 * 通过Jsoup过滤请求参数内的特定字符 * @author yangwk  */  public class XssFilter implements Filter {  private static final Logger logger = LogManager.getLogger();/** * 是否过滤富文本内容 */private static boolean IS_INCLUDE_RICH_TEXT = false;public List<String> excludes = new ArrayList<>();      @Overridepublic void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,ServletException {    if(logger.isDebugEnabled()){  logger.debug("xss filter is open");  }    HttpServletRequest req = (HttpServletRequest) request;HttpServletResponse resp = (HttpServletResponse) response;  if(handleExcludeURL(req, resp)){  filterChain.doFilter(request, response);return;}    XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request,IS_INCLUDE_RICH_TEXT);  filterChain.doFilter(xssRequest, response);    }        private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) {if (excludes == null || excludes.isEmpty()) {return false;}String url = request.getServletPath();for (String pattern : excludes) {Pattern p = Pattern.compile("^" + pattern);Matcher m = p.matcher(url);if (m.find()) {return true;}}return false;}@Overridepublic void init(FilterConfig filterConfig) throws ServletException {if(logger.isDebugEnabled()){logger.debug("xss filter init ====================");}String isIncludeRichText = filterConfig.getInitParameter("isIncludeRichText");if(StringUtils.isNotBlank(isIncludeRichText)){IS_INCLUDE_RICH_TEXT = BooleanUtils.toBoolean(isIncludeRichText);}String temp = filterConfig.getInitParameter("excludes");if (temp != null) {String[] url = temp.split(",");for (int i = 0; url != null && i < url.length; i++) {excludes.add(url[i]);}}}@Overridepublic void destroy() {}    }  

5 .  增加XSS配置

package com.xbz.web.common.config;import com.xbz.web.common.filter.XssFilter;import com.google.common.collect.Maps;import org.springframework.boot.web.servlet.FilterRegistrationBean;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;import java.util.Map;@Configurationpublic class XssConfig{/** * xss过滤拦截器 */@Beanpublic FilterRegistrationBean xssFilterRegistrationBean() {FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();filterRegistrationBean.setFilter(new XssFilter());filterRegistrationBean.setOrder(1);filterRegistrationBean.setEnabled(true);filterRegistrationBean.addUrlPatterns("/*");Map<String, String> initParameters = Maps.newHashMap();initParameters.put("excludes", "/favicon.ico,/img/*,/js/*,/css/*");initParameters.put("isIncludeRichText", "true");filterRegistrationBean.setInitParameters(initParameters);return filterRegistrationBean;}}

大功告成, 另外SpringMVC版本的XSS防范请参考另一篇文章SpringMVC防止XSS攻击