淺談Springboot2.0防止XSS攻擊的幾種方式
在平時做項目代碼開發的時候,很容易忽視XSS攻擊的防護,網上有很多自定義全局攔截器來實現XSS過濾,其實不需要這麼麻煩,SpringBoot留有不少鉤子(擴展點),據此我們可以巧妙地實現全局的XSS過濾
防止XSS攻擊,一般有兩種做法:
轉義
使用工具類HtmlUtils實現
過濾
將敏感標簽去除
jsoup實現瞭非常強大的clean敏感標簽的功能
轉義 做法的三種實現:
轉義方法一:註冊自定義轉換器
自定義轉換器,集成PropertyEditorSupport類實現,轉換器還可以實現數據格式轉換,例如:date的轉換;
@Component
public class DateEditor extends PropertyEditorSupport {
Pattern pattern = Pattern.compile("[^0-9]");
@Override
public void setAsText(String text) throws IllegalArgumentException {
if (StrUtil.isBlank(text)) {
return;
}
text = text.trim();
Matcher matcher = pattern.matcher(text);
text = matcher.replaceAll("");
int length = text.length();
Date date;
switch (length) {
case 14:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmmss")).toDate();
break;
case 12:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmm")).toDate();
break;
case 10:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHH")).toDate();
break;
case 8:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMdd")).toDate();
break;
case 6:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMM")).toDate();
break;
case 4:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyy")).toDate();
break;
default:
return;
}
setValue(date);
}
}
@Component
public class StringEscapeEditor extends PropertyEditorSupport {
public StringEscapeEditor() {
super();
}
@Override
public String getAsText() {
Object value = getValue();
return value != null ? value.toString() : "";
}
@Override
public void setAsText(String text) {
if (text == null) {
setValue(null);
} else {
String value = text;
value = value.trim();
setValue(value);
}
}
}
@Slf4j
@Component
public class CommentWebBindingInitializer extends ConfigurableWebBindingInitializer {
private final StringEscapeEditor stringEscapeEditor;
private final DateEditor dateEditor;
@Autowired
public CommentWebBindingInitializer(StringEscapeEditor stringEscapeEditor, DateEditor dateEditor) {
this.stringEscapeEditor = stringEscapeEditor;
this.dateEditor = dateEditor;
}
@Override
public void initBinder(WebDataBinder binder) {
log.info("init bind editor");
super.initBinder(binder);
// 註冊自定義的類型轉換器
binder.registerCustomEditor(Date.class, dateEditor);
binder.registerCustomEditor(String.class, stringEscapeEditor);
}
}
轉義方法二:BaseController
需要XSS防護的Controller的需要繼承該BaseController
public class BaseController {
@Autowired
private StringEscapeEditor stringEscapeEditor;
@InitBinder
public void initBinder(ServletRequestDataBinder binder) {
binder.registerCustomEditor(String.class, stringEscapeEditor);
}
}
轉義方法三:Converter
@Component
public class StringEscapeEditor implements Converter<String, String> {
@Override
public String convert(String s) {
return StringUtils.isEmpty(s) ? s : HtmlUtils.htmlEscape(s);
}
}
@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
@Autowired
private LoginInterceptor loginInterceptor;
@Autowired
private StringEscapeEditor stringEscapeEditor;
/**
* 在參數綁定時,自定義String->String的轉換器,
* 在轉換邏輯中對參數值進行轉義,從而達到防XSS的效果
*
* @param registry
*/
@Override
public void addFormatters(FormatterRegistry registry) {
registry.addConverter(StringEscapeEditor);
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(loginInterceptor)
.addPathPatterns("/**")
// 路徑不包括contextPath部分
.excludePathPatterns("/user/login", "/user/logout", "/index/test1");
}
/**
* 前後端分離需要解決跨域問題
*
* @param registry
*/
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH")
.allowCredentials(true).maxAge(3600);
}
}
到此這篇關於淺談Springboot2.0防止XSS攻擊的幾種方式的文章就介紹到這瞭,更多相關Springboot防止XSS攻擊內容請搜索WalkonNet以前的文章或繼續瀏覽下面的相關文章希望大傢以後多多支持WalkonNet!
推薦閱讀:
- Java時間處理第三方包Joda Time使用詳解
- java中的DateTime的具體使用
- Spring Boot深入分析講解日期時間處理
- springboot前端傳參date類型後臺處理的方式
- Java日期轉換註解配置date format時間失效