Springboot2.0防止XSS攻擊的方式有哪些
- 王林轉載
- 2023-05-19 20:43:041446瀏覽
在平常做專案程式碼開發的時候,很容易忽略XSS攻擊的防護,網路上有很多自訂全域攔截器來實現XSS過濾,其實不需要這麼麻煩,SpringBoot留有不少鉤子(擴充點),據此我們可以巧妙地實現全域的XSS過濾
防止XSS攻擊,一般有兩種做法:
轉義
使用工具類別HtmlUtils實作
過濾
將敏感標籤移除
jsoup實作了非常強大的clean敏感標籤的功能
轉義做法的三種實作:
轉義方法一:註冊自訂轉換器
自訂轉換器,整合PropertyEditorSupport類別實現,轉換器還可以實作資料格式轉換,例如:date的轉換;
@Component
public class DateEditor extends PropertyEditorSupport {
Pattern pattern = Pattern.compile("[^0-9]");
@Override
public void setAsText(String text) throws IllegalArgumentException {
if (StrUtil.isBlank(text)) {
return;
}
text = text.trim();
Matcher matcher = pattern.matcher(text);
text = matcher.replaceAll("");
int length = text.length();
Date date;
switch (length) {
case 14:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmmss")).toDate();
break;
case 12:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmm")).toDate();
break;
case 10:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHH")).toDate();
break;
case 8:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMdd")).toDate();
break;
case 6:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMM")).toDate();
break;
case 4:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyy")).toDate();
break;
default:
return;
}
setValue(date);
}
}@Component
public class StringEscapeEditor extends PropertyEditorSupport {
public StringEscapeEditor() {
super();
}
@Override
public String getAsText() {
Object value = getValue();
return value != null ? value.toString() : "";
}
@Override
public void setAsText(String text) {
if (text == null) {
setValue(null);
} else {
String value = text;
value = value.trim();
setValue(value);
}
}
}@Slf4j
@Component
public class CommentWebBindingInitializer extends ConfigurableWebBindingInitializer {
private final StringEscapeEditor stringEscapeEditor;
private final DateEditor dateEditor;
@Autowired
public CommentWebBindingInitializer(StringEscapeEditor stringEscapeEditor, DateEditor dateEditor) {
this.stringEscapeEditor = stringEscapeEditor;
this.dateEditor = dateEditor;
}
@Override
public void initBinder(WebDataBinder binder) {
log.info("init bind editor");
super.initBinder(binder);
// 注册自定义的类型转换器
binder.registerCustomEditor(Date.class, dateEditor);
binder.registerCustomEditor(String.class, stringEscapeEditor);
}
}轉義方法二:BaseController
需要XSS防護的Controller的需要繼承該BaseController
public class BaseController {
@Autowired
private StringEscapeEditor stringEscapeEditor;
@InitBinder
public void initBinder(ServletRequestDataBinder binder) {
binder.registerCustomEditor(String.class, stringEscapeEditor);
}
}轉義方法三:Converter
@Component
public class StringEscapeEditor implements Converter<String, String> {
@Override
public String convert(String s) {
return StringUtils.isEmpty(s) ? s : HtmlUtils.htmlEscape(s);
}
}@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
@Autowired
private LoginInterceptor loginInterceptor;
@Autowired
private StringEscapeEditor stringEscapeEditor;
/**
* 在参数绑定时,自定义String->String的转换器,
* 在转换逻辑中对参数值进行转义,从而达到防XSS的效果
*
* @param registry
*/
@Override
public void addFormatters(FormatterRegistry registry) {
registry.addConverter(StringEscapeEditor);
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(loginInterceptor)
.addPathPatterns("/**")
// 路径不包括contextPath部分
.excludePathPatterns("/user/login", "/user/logout", "/index/test1");
}
/**
* 前后端分离需要解决跨域问题
*
* @param registry
*/
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH")
.allowCredentials(true).maxAge(3600);
}
}以上是Springboot2.0防止XSS攻擊的方式有哪些的詳細內容。更多資訊請關注PHP中文網其他相關文章!
陳述:
本文轉載於:yisu.com。如有侵權,請聯絡admin@php.cn刪除
上一篇:Java如何實現優雅的參數校驗下一篇:Java如何實現優雅的參數校驗