浅谈Springboot2.0防止XSS攻击的几种方式
目录
- 防止XSS攻击,一般有两种做法:
- 转义 做法的三种实现:
- 转义方法一:注册自定义转换器
- 转义方法二:BaseController
- 转义方法三:Converter
在平时做项目代码开发的时候,很容易忽视XSS攻击的防护,网上有很多自定义全局拦截器来实现XSS过滤,其实不需要这么麻烦,SpringBoot留有不少钩子(扩展点),据此我们可以巧妙地实现全局的XSS过滤
防止XSS攻击,一般有两种做法:
转义
使用工具类HtmlUtils实现
过滤
将敏感标签去除
jsoup实现了非常强大的clean敏感标签的功能
转义 做法的三种实现:
转义方法一:注册自定义转换器
自定义转换器,集成PropertyEditorSupport类实现,转换器还可以实现数据格式转换,例如:date的转换;
@Component public class DateEditor extends PropertyEditorSupport { Pattern pattern = Pattern.compile("[^0-9]"); @Override public void setAsText(String text) throws IllegalArgumentException { if (StrUtil.isBlank(text)) { return; } text = text.trim(); Matcher matcher = pattern.matcher(text); text = matcher.replaceAll(""); int length = text.length(); Date date; switch (length) { case 14: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmmss")).toDate(); break; case 12: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmm")).toDate(); break; case 10: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHH")).toDate(); break; case 8: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMdd")).toDate(); break; case 6: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMM")).toDate(); break; case 4: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyy")).toDate(); break; default: return; } setValue(date); } }
@Component public class StringEscapeEditor extends PropertyEditorSupport { public StringEscapeEditor() { super(); } @Override public String getAsText() { Object value = getValue(); return value != null ? value.toString() : ""; } @Override public void setAsText(String text) { if (text == null) { setValue(null); } else { String value = text; value = value.trim(); setValue(value); } } }
@Slf4j @Component public class CommentWebBindingInitializer extends ConfigurableWebBindingInitializer { private final StringEscapeEditor stringEscapeEditor; private final DateEditor dateEditor; @Autowired public CommentWebBindingInitializer(StringEscapeEditor stringEscapeEditor, DateEditor dateEditor) { this.stringEscapeEditor = stringEscapeEditor; this.dateEditor = dateEditor; } @Override public void initBinder(WebDataBinder binder) { log.info("init bind editor"); super.initBinder(binder); // 注册自定义的类型转换器 binder.registerCustomEditor(Date.class, dateEditor); binder.registerCustomEditor(String.class, stringEscapeEditor); } }
转义方法二:BaseController
需要XSS防护的Controller的需要继承该BaseController
public class BaseController { @Autowired private StringEscapeEditor stringEscapeEditor; @InitBinder public void initBinder(ServletRequestDataBinder binder) { binder.registerCustomEditor(String.class, stringEscapeEditor); } }
转义方法三:Converter
@Component public class StringEscapeEditor implements Converter<String, String> { @Override public String convert(String s) { return StringUtils.isEmpty(s) ? s : HtmlUtils.htmlEscape(s); } }
@Configuration public class WebMvcConfig implements WebMvcConfigurer { @Autowired private LoginInterceptor loginInterceptor; @Autowired private StringEscapeEditor stringEscapeEditor; /** * 在参数绑定时,自定义String->String的转换器, * 在转换逻辑中对参数值进行转义,从而达到防XSS的效果 * * @param registry */ @Override public void addFormatters(FormatterRegistry registry) { registry.addConverter(StringEscapeEditor); } @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(loginInterceptor) .addPathPatterns("/**") // 路径不包括contextPath部分 .excludePathPatterns("/user/login", "/user/logout", "/index/test1"); } /** * 前后端分离需要解决跨域问题 * * @param registry */ @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") .allowedOrigins("*") .allowedMethods("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH") .allowCredentials(true).maxAge(3600); } }
到此这篇关于浅谈Springboot2.0防止XSS攻击的几种方式的文章就介绍到这了,更多相关Springboot防止XSS攻击内容请搜索我们以前的文章或继续浏览下面的相关文章希望大家以后多多支持我们!
赞 (0)