XSS防御

程序员朱永胜
285 阅读1分钟

自定义json反序列化器

package cc.fedtech.filter;

import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.JsonDeserializer;
import org.springframework.web.util.HtmlUtils;

import java.io.IOException;

public class XssJsonDeserializer extends JsonDeserializer<String> {
        @Override
        public String deserialize(JsonParser jsonParser, DeserializationContext ctxt)
                throws IOException, JsonProcessingException {
            String value = jsonParser.getValueAsString();
            if (value != null) {
                //对于值进行HTML转义
                return HtmlUtils.htmlEscape(value);
            }
            return value;
        }

        @Override
        public Class<String> handledType() {
            return String.class;
        }
    }

自定义json序列化器

package cc.fedtech.filter;

import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
import org.springframework.web.util.HtmlUtils;

import java.io.IOException;

public class XssJsonSerializer extends JsonSerializer<String> {
    @Override
    public Class<String> handledType() { return String.class; }

    @Override
    public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)
            throws IOException {
        if (value != null) {
            //对字符串进行HTML转义
            jsonGenerator.writeString(HtmlUtils.htmlEscape(value));
        }
    }
}

自定义拦截器

package com.fedtech.common.filter.xss;

import org.apache.commons.lang3.StringUtils;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 * 自定义过滤器
 *
 * @author <a href = "mailto:njpkhuan@gmail.com" > huan </a >
 * @date 2021/2/8
 * @since 1.0.0
 */
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class XssFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        String path = ((HttpServletRequest) request).getServletPath();
        if (path.equals("/")) {
            chain.doFilter(request, response);
        }
        if (StringUtils.containsAny(path, "/assets", "/templates", "/mapper","/oauth")) {
            chain.doFilter(request, response);
        }

        chain.doFilter(new XssRequestWrapper((HttpServletRequest) request), response);
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void destroy() {

    }
}

请求参数处理

package cc.fedtech.filter;

import org.apache.commons.lang3.StringUtils;
import org.springframework.web.util.HtmlUtils;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.Arrays;

public class XssRequestWrapper extends HttpServletRequestWrapper {

    public XssRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    @Override
    public String[] getParameterValues(String parameter) {
        //获取多个参数值的时候对所有参数值应用clean方法逐一清洁
        return Arrays.stream(super.getParameterValues(parameter)).map(this::clean).toArray(String[]::new);
    }

    @Override
    public String getHeader(String name) {
        //同样清洁请求头
        return clean(super.getHeader(name));
    }

    @Override
    public String getParameter(String parameter) {
        //获取参数单一值也要处理
        return clean(super.getParameter(parameter));
    }
    //clean方法就是对值进行HTML转义
    private String clean(String value) {
      return StringUtils.isEmpty(value)? "" : HtmlUtils.htmlEscape(value);
    }
}

注册反序列化器

    //注册自定义的Jackson反序列器
    @Bean
    public Module xssModule() {
        SimpleModule module = new SimpleModule();
        module.addDeserializer(String.class, new XssJsonDeserializer());
        module.addSerializer(String.class, new XssJsonSerializer());
        return module;
    }
avatar
文章
阅读
粉丝
相关推荐
WIFI渗透与防御
994阅读
 · 
5点赞
防御式 CSS 精讲
2.5k阅读
 · 
6点赞
JS Promise 101:Promise基础
43k阅读
 · 
274点赞
手把手教你防御 XSS 攻击
342阅读
 · 
2点赞
接得住三连问?XSS不再懵
2.6k阅读
 · 
49点赞
浏览器安全:什么是XSS攻击?
4.4k阅读
 · 
59点赞
React CSS-In-JS 方案 : Linaria Vs Styled-Components
212k阅读
 · 
131点赞
详解 XSS(跨站脚本攻击)
2.4k阅读
 · 
30点赞
如何写出好代码 - 防御式编程指南
8.0k阅读
 · 
24点赞
安全 | 开源入侵防御系统 Snort
1.5k阅读
 · 
7点赞

友情链接: