springboot清除字符串前後空格與防xss攻擊方法
springboot清除字符串前後空格與防xss攻擊
一、查看WebMvcAutoConfiguration.class中的方法源碼
protected ConfigurableWebBindingInitializer getConfigurableWebBindingInitializer() {
try {
//從容器中獲取
return (ConfigurableWebBindingInitializer)this.beanFactory.getBean(ConfigurableWebBindingInitializer.class);
} catch (NoSuchBeanDefinitionException ex) {
return super.getConfigurableWebBindingInitializer();
}
可以發現ConfigurableWebBindingInitializer是從容器(beanFactory)中獲取到的,所以我們可以配置一個
ConfigurableWebBindingInitializer來替換默認的,隻需要在容器中添加一個我們自定義的轉換器即可。
當我們創建瞭自己的ConfigurableWebBindingInitializer這個Bean,Spring boot就會自動使用它來配置Spring MVC實現參數的類型轉換。
二、自定義屬性編輯器
/**
*
* @description 與spring mvc的@InitBinder結合 用於防止XSS攻擊
*/
class StringEscapeEditor extends PropertyEditorSupport {
/** 轉義HTML */
private boolean escapeHTML;
/** 轉義javascript */
private boolean escapeJavaScript;
/** 是否將空字符串轉換為null */
private final boolean emptyAsNull;
/** 是否去掉前後空格 */
private final boolean trimmed;
public StringEscapeEditor() {
this(true,true,false,true);
}
public StringEscapeEditor(boolean escapeHTML, boolean escapeJavaScript) {
this(true,true,escapeHTML,escapeJavaScript);
}
public StringEscapeEditor(boolean emptyAsNull,boolean trimmed, boolean escapeHTML, boolean escapeJavaScript) {
super();
this.emptyAsNull = emptyAsNull;
this.trimmed = trimmed;
this.escapeHTML = escapeHTML;
this.escapeJavaScript = escapeJavaScript;
}
@Override
public String getAsText() {
Object value = getValue();
if(Objects.nonNull(value))
{
return value.toString();
}
return value != null ? value.toString() : null;
}
@Override
public void setAsText(String text) throws IllegalArgumentException {
String value = text;
if (value == null || emptyAsNull && text.isEmpty()) {
//do nothing
} else if (trimmed) {
//去字符傳參數前後空格
value = value.trim();
}
if (escapeHTML) {
//HTML轉義(防止XSS攻擊)
//HtmlUtils.htmlEscape 默認的是ISO-8859-1編碼格式,會將中文的某些符號進行轉義。
//如果不想讓中文符號進行轉義請使用UTF-8的編碼格式。例如:HtmlUtils.htmlEscape(text, "UTF-8")
value = HtmlUtils.htmlEscape(value, "UTF-8");
}
if (escapeJavaScript) {
//javascript轉義(防止XSS攻擊)
value = JavaScriptUtils.javaScriptEscape(value);
}
setValue(value);
}
}
三、創建WebBindingInitializerConfiguration類
加上@Bean註解,交給spring容器管理。
@Configuration
public class WebBindingInitializerConfiguration {
@Bean
public ConfigurableWebBindingInitializer getConfigurableWebBindingInitializer() {
ConfigurableWebBindingInitializer initializer = new ConfigurableWebBindingInitializer();
FormattingConversionService conversionService = new DefaultFormattingConversionService();
//we can add our custom converters and formatters
//conversionService.addConverter(...);
//conversionService.addFormatter(...);
initializer.setConversionService(conversionService);
//we can set our custom validator
//initializer.setValidator(....);
//here we are setting a custom PropertyEditor
initializer.setPropertyEditorRegistrar(propertyEditorRegistry -> {
propertyEditorRegistry.registerCustomEditor(String.class,
new StringEscapeEditor());
});
return initializer;
}
}
springboot去除參數中前後空格說明
一、 需求
使用SpringBoot使用過濾器去除@RequestBody參數兩端的空格;一般我們去普通的請求我們都會對請求參數進行驗證。
Java也提供瞭@notNull和@notBlank這種驗證方式,但是對@RequestBody 這種隻能驗證是不是非空,對數據兩端的空格未進行處理,同時大傢也不想遍歷一遍參數然後再處理再封裝到對象中,正好項目中有這個需要,所以就參考別的做瞭Post請求中針對application/json格式的有@RequestBody註解的參數進行瞭去空格處理
二、 解決方法
2.1 新建一個過濾器
@Component
@WebFilter(urlPatterns = "/**", filterName = "ParamsFilter", dispatcherTypes = DispatcherType.REQUEST)
public class ParamsFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
ParameterRequestWrapper parmsRequest = new ParameterRequestWrapper((HttpServletRequest) request);
chain.doFilter(parmsRequest, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
}
2.2 實現ParameterRequestWrapper
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import com.alibaba.fastjson.JSON;
/**
* @author :
* @description
* @date : 2021/4/22
*/
public class ParameterRequestWrapper extends HttpServletRequestWrapper {
private Map<String , String[]> params = new HashMap<>();
public ParameterRequestWrapper(HttpServletRequest request) {
super(request);
Map<String, String[]> requestMap=request.getParameterMap();
this.params.putAll(requestMap);
this.modifyParameterValues();
}
@Override
public ServletInputStream getInputStream() throws IOException {
if(!super.getHeader(HttpHeaders.CONTENT_TYPE).equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE)){
return super.getInputStream();
}
String json = IOUtils.toString(super.getInputStream(), "utf-8");
if (StringUtils.isEmpty(json)) {
return super.getInputStream();
}
Map<String,Object> map= jsonStringToMap(json);
ByteArrayInputStream bis = new ByteArrayInputStream(JSON.toJSONString(map).getBytes("utf-8"));
return new MyServletInputStream(bis);
}
public void modifyParameterValues(){
Set<String> set = params.keySet();
Iterator<String> it = set.iterator();
while(it.hasNext()){
String key= it.next();
String[] values = params.get(key);
values[0] = values[0].trim();
params.put(key, values);
}
}
@Override
public String getParameter(String name) {
String[]values = params.get(name);
if(values == null || values.length == 0) {
return null;
}
return values[0];
}
@Override
public String[] getParameterValues(String name) {
return params.get(name);
}
class MyServletInputStream extends ServletInputStream {
private ByteArrayInputStream bis;
public MyServletInputStream(ByteArrayInputStream bis){
this.bis=bis;
}
@Override
public boolean isFinished() {
return true;
}
@Override
public boolean isReady() {
return true;
}
@Override
public void setReadListener(ReadListener listener) {
}
@Override
public int read(){
return bis.read();
}
}
public static Map<String, Object> jsonStringToMap(String jsonString) {
Map<String, Object> map = new HashMap<>();
JSONObject jsonObject = JSONObject.parseObject(jsonString);
for (Object k : jsonObject.keySet()) {
Object o = jsonObject.get(k);
if (o instanceof JSONArray) {
List<Map<String, Object>> list = new ArrayList<>();
Iterator<Object> it = ((JSONArray) o).iterator();
while (it.hasNext()) {
Object obj = it.next();
list.add(jsonStringToMap(obj.toString()));
}
map.put(k.toString(), list);
} else if (o instanceof JSONObject) {
map.put(k.toString(), jsonStringToMap(o.toString()));
} else {
if (o instanceof String) {
map.put(k.toString(), o.toString().trim());
} else {
map.put(k.toString(), o);
}
}
}
return map;
}
}
三、 完美解決
參數前後空格完美去除!
以上為個人經驗,希望能給大傢一個參考,也希望大傢多多支持WalkonNet。
推薦閱讀:
- 如何修改JSON字符串中的敏感信息
- java鏈式創建json對象的實現
- python接口測試對修改密碼接口進行壓測
- JSONObject按put順序排放與輸出方式
- springboot框架的全局異常處理方案詳解