Home >Java >javaTutorial >What are the ways to prevent XSS attacks in Springboot2.0
When doing project code development, it is easy to ignore the protection of XSS attacks. There are many custom global interceptors on the Internet to implement XSS filtering. In fact, it does not need to be so troublesome. SpringBoot has many Hook (extension point), based on which we can cleverly implement global XSS filtering
Escape
Use the tool class HtmlUtils to implement
Filtering
Remove sensitive tags
jsoup implements a very powerful function of cleaning sensitive tags
Custom converter, integrated with PropertyEditorSupport class implementation, the converter can also implement data format conversion, such as: date conversion;
@Component public class DateEditor extends PropertyEditorSupport { Pattern pattern = Pattern.compile("[^0-9]"); @Override public void setAsText(String text) throws IllegalArgumentException { if (StrUtil.isBlank(text)) { return; } text = text.trim(); Matcher matcher = pattern.matcher(text); text = matcher.replaceAll(""); int length = text.length(); Date date; switch (length) { case 14: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmmss")).toDate(); break; case 12: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmm")).toDate(); break; case 10: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHH")).toDate(); break; case 8: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMdd")).toDate(); break; case 6: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMM")).toDate(); break; case 4: date = DateTime.parse(text, DateTimeFormat.forPattern("yyyy")).toDate(); break; default: return; } setValue(date); } }
@Component public class StringEscapeEditor extends PropertyEditorSupport { public StringEscapeEditor() { super(); } @Override public String getAsText() { Object value = getValue(); return value != null ? value.toString() : ""; } @Override public void setAsText(String text) { if (text == null) { setValue(null); } else { String value = text; value = value.trim(); setValue(value); } } }
@Slf4j @Component public class CommentWebBindingInitializer extends ConfigurableWebBindingInitializer { private final StringEscapeEditor stringEscapeEditor; private final DateEditor dateEditor; @Autowired public CommentWebBindingInitializer(StringEscapeEditor stringEscapeEditor, DateEditor dateEditor) { this.stringEscapeEditor = stringEscapeEditor; this.dateEditor = dateEditor; } @Override public void initBinder(WebDataBinder binder) { log.info("init bind editor"); super.initBinder(binder); // 注册自定义的类型转换器 binder.registerCustomEditor(Date.class, dateEditor); binder.registerCustomEditor(String.class, stringEscapeEditor); } }
Controllers that require XSS protection need to inherit the BaseController
public class BaseController { @Autowired private StringEscapeEditor stringEscapeEditor; @InitBinder public void initBinder(ServletRequestDataBinder binder) { binder.registerCustomEditor(String.class, stringEscapeEditor); } }
@Component public class StringEscapeEditor implements Converter<String, String> { @Override public String convert(String s) { return StringUtils.isEmpty(s) ? s : HtmlUtils.htmlEscape(s); } }
@Configuration public class WebMvcConfig implements WebMvcConfigurer { @Autowired private LoginInterceptor loginInterceptor; @Autowired private StringEscapeEditor stringEscapeEditor; /** * 在参数绑定时,自定义String->String的转换器, * 在转换逻辑中对参数值进行转义,从而达到防XSS的效果 * * @param registry */ @Override public void addFormatters(FormatterRegistry registry) { registry.addConverter(StringEscapeEditor); } @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(loginInterceptor) .addPathPatterns("/**") // 路径不包括contextPath部分 .excludePathPatterns("/user/login", "/user/logout", "/index/test1"); } /** * 前后端分离需要解决跨域问题 * * @param registry */ @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") .allowedOrigins("*") .allowedMethods("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH") .allowCredentials(true).maxAge(3600); } }
The above is the detailed content of What are the ways to prevent XSS attacks in Springboot2.0. For more information, please follow other related articles on the PHP Chinese website!