Spring过滤参数中的xss
来源:互联网 发布:帝国cms视频教程 编辑:程序博客网 时间:2024/06/16 21:09
web.xml中配置
<filter>
<filter-name>XssFilter</filter-name><filter-class>com.meadin.funding.filter.XssFilter</filter-class>
<async-supported>true</async-supported>
<!-- 字符编码过滤 -->
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
package com.meadin.funding.filter;
import javax.servlet.http.HttpServletRequest;
import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;
import org.springframework.web.multipart.MultipartException;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import org.springframework.web.multipart.support.DefaultMultipartHttpServletRequest;
import org.springframework.web.util.HtmlUtils;
/**
* 具有xss功能的multipart解析器 转义上传文件的XSS
*
* @author zhou
*
*/
public class XssCommonsMultipartResolver extends CommonsMultipartResolver {
public XssCommonsMultipartResolver() {
}
@Override
public MultipartHttpServletRequest resolveMultipart(
HttpServletRequest request) throws MultipartException {
MultipartParsingResult parsingResult = parseRequest(request);
return new DefaultMultipartHttpServletRequest(request,
parsingResult.getMultipartFiles(),
parsingResult.getMultipartParameters(),
parsingResult.getMultipartParameterContentTypes()) {
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
return value == null ? null : cleanXSS(value);
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values == null)
return null;
String[] result = new String[values.length];
for (int i = 0; i < result.length; i++) {
result[i] = cleanXSS(values[i]);
}
return result;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return value == null ? null : cleanXSS(value);
}
};
}
private String cleanXSS(String value) {
return Jsoup.clean(value.toString(), Whitelist.relaxed());
}
}
package com.meadin.funding.filter;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.MultipartResolver;
import org.springframework.web.util.WebUtils;
import com.meadin.funding.util.StringUtils;
/**
* Xss过滤器,可处理multipart请求
*
* @author zhou
*
*/
public class XssFilter extends OncePerRequestFilter {
private MultipartResolver multipartResolver;
private String encoding;
public XssFilter() {
}
@Override
protected void initFilterBean() throws ServletException {
XssCommonsMultipartResolver resolver = new XssCommonsMultipartResolver();
resolver.setDefaultEncoding("UTF-8");
resolver.setMaxUploadSize(4096000);
resolver.setServletContext(getServletContext());
multipartResolver = resolver;
}
public void setEncoding(String encoding) {
this.encoding = encoding;
}
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (!StringUtils.isBlank(encoding)) {
request.setCharacterEncoding(encoding);
response.setCharacterEncoding(encoding);
}
boolean multipartRequestParsed = false;
HttpServletRequest req = new XssHttpServletRequestWrapper(request);
if (multipartResolver.isMultipart(req)) {
req = multipartResolver.resolveMultipart(req);
multipartRequestParsed = true;
}
try {
filterChain.doFilter(req, response);
} finally {
if (multipartRequestParsed) {
multipartResolver.cleanupMultipart(WebUtils.getNativeRequest(
request, MultipartHttpServletRequest.class));
}
}
}
}
package com.meadin.funding.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;
import org.springframework.web.util.HtmlUtils;
/**
* xss过滤包装器 转义参数中的XSS
*
* @author zhou
*
*/
class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
return value == null ? null : cleanXSS(value);
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
return value == null ? null : cleanXSS(value);
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values == null)
return null;
String[] result = new String[values.length];
for (int i = 0; i < result.length; i++) {
result[i] = cleanXSS(values[i]);
}
return result;
}
private String cleanXSS(String value) {
return Jsoup.clean(value.toString(), Whitelist.relaxed());
}
}
参考https://github.com/dongfangshangren/Zblog
更新:文件上传有BUG--2016-07-27 18:29:43
- Spring过滤参数中的xss
- Spring过滤json中的XSS
- Java Filter过滤XSS注入非法参数
- java过滤请求参数中的非法字符,防止XSS攻击、SQL盲注等
- spring boot实战之XSS过滤
- Java Filter过滤xss注入非法参数的方法
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- Java Filter过滤xss注入非法参数的方法
- java过滤有可能的xss攻击的参数
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- 预防XSS攻击,(参数/响应值)特殊字符过滤
- 过滤数组中的数据,避免sql注入、xss等问题
- XSS过滤函数 PHP
- php过滤xss函数
- XSS攻击的过滤
- php xss过滤
- PHP过滤XSS攻击
- BMP文件与像素操作(glReadPixels,glDrawPixels和glCopyPixels应用举例)
- NET和java的RSA互通,仅此而已
- 通过addDataScheme("file") 浅析android事件过滤策略
- Maven POM文件
- Expanding Rods
- Spring过滤参数中的xss
- ./configure: error: SSL modules require the OpenSSL library
- JavaScript基础——事件流
- Trailing Zeroes (III)
- 整理:STL 中 sort 函数用法简介 && 七种 qsort 排序方法
- c语言的学习
- Navicat 连接 Oracle express
- DES对称加密算法 CryptoUitls
- html(1)之标签
