自定义json反序列化器
package cc.fedtech.filter;import com.fasterxml.jackson.core.JsonParser;import com.fasterxml.jackson.core.JsonProcessingException;import com.fasterxml.jackson.databind.DeserializationContext;import com.fasterxml.jackson.databind.JsonDeserializer;import org.springframework.web.util.HtmlUtils;import java.io.IOException;public class XssJsonDeserializer extends JsonDeserializer<String> { @Override public String deserialize(JsonParser jsonParser, DeserializationContext ctxt) throws IOException, JsonProcessingException { String value = jsonParser.getValueAsString(); if (value != null) { //对于值进行HTML本义 return HtmlUtils.htmlEscape(value); } return value; } @Override public Class<String> handledType() { return String.class; } }
自定义json序列化器
package cc.fedtech.filter;import com.fasterxml.jackson.core.JsonGenerator;import com.fasterxml.jackson.databind.JsonSerializer;import com.fasterxml.jackson.databind.SerializerProvider;import org.springframework.web.util.HtmlUtils;import java.io.IOException;public class XssJsonSerializer extends JsonSerializer<String> { @Override public Class<String> handledType() { return String.class; } @Override public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException { if (value != null) { //对字符串进行HTML本义 jsonGenerator.writeString(HtmlUtils.htmlEscape(value)); } }}
自定义拦截器
package com.fedtech.common.filter.xss;import org.apache.commons.lang3.StringUtils;import org.springframework.core.Ordered;import org.springframework.core.annotation.Order;import org.springframework.stereotype.Component;import javax.servlet.*;import javax.servlet.http.HttpServletRequest;import java.io.IOException;/** * 自定义过滤器 * * @author <a href = "mailto:njpkhuan@gmail.com" > huan </a > * @date 2021/2/8 * @since 1.0.0 */@Component@Order(Ordered.HIGHEST_PRECEDENCE)public class XssFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String path = ((HttpServletRequest) request).getServletPath(); if (path.equals("/")) { chain.doFilter(request, response); } if (StringUtils.containsAny(path, "/assets", "/templates", "/mapper","/oauth")) { chain.doFilter(request, response); } chain.doFilter(new XssRequestWrapper((HttpServletRequest) request), response); } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void destroy() { }}
申请参数解决
package cc.fedtech.filter;import org.apache.commons.lang3.StringUtils;import org.springframework.web.util.HtmlUtils;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import java.util.Arrays;public class XssRequestWrapper extends HttpServletRequestWrapper { public XssRequestWrapper(HttpServletRequest request) { super(request); } @Override public String[] getParameterValues(String parameter) { //获取多个参数值的时候对所有参数值利用clean办法逐个清洁 return Arrays.stream(super.getParameterValues(parameter)).map(this::clean).toArray(String[]::new); } @Override public String getHeader(String name) { //同样清洁申请头 return clean(super.getHeader(name)); } @Override public String getParameter(String parameter) { //获取参数繁多值也要解决 return clean(super.getParameter(parameter)); } //clean办法就是对值进行HTML本义 private String clean(String value) { return StringUtils.isEmpty(value)? "" : HtmlUtils.htmlEscape(value); }}
注册反序列化器
//注册自定义的Jackson反序列器 @Bean public Module xssModule() { SimpleModule module = new SimpleModule(); module.addDeserializer(String.class, new XssJsonDeserializer()); module.addSerializer(String.class, new XssJsonSerializer()); return module; }