在平时做项目代码开发的时候，很容易忽视xss攻击的防护，网上有很多自定义全局拦截器来实现xss过滤，其实不需要这么麻烦，springboot留有不少钩子（扩展点），据此我们可以巧妙地实现全局的xss过滤
防止xss攻击，一般有两种做法:转义
使用工具类htmlutils实现
过滤
将敏感标签去除
jsoup实现了非常强大的clean敏感标签的功能
转义 做法的三种实现：转义方法一：注册自定义转换器自定义转换器，集成propertyeditorsupport类实现，转换器还可以实现数据格式转换，例如：date的转换；
@componentpublic class dateeditor extends propertyeditorsupport { pattern pattern = pattern.compile("[^0-9]"); @override public void setastext(string text) throws illegalargumentexception { if (strutil.isblank(text)) { return; } text = text.trim(); matcher matcher = pattern.matcher(text); text = matcher.replaceall(""); int length = text.length(); date date; switch (length) { case 14: date = datetime.parse(text, datetimeformat.forpattern("yyyymmddhhmmss")).todate(); break; case 12: date = datetime.parse(text, datetimeformat.forpattern("yyyymmddhhmm")).todate(); break; case 10: date = datetime.parse(text, datetimeformat.forpattern("yyyymmddhh")).todate(); break; case 8: date = datetime.parse(text, datetimeformat.forpattern("yyyymmdd")).todate(); break; case 6: date = datetime.parse(text, datetimeformat.forpattern("yyyymm")).todate(); break; case 4: date = datetime.parse(text, datetimeformat.forpattern("yyyy")).todate(); break; default: return; } setvalue(date); }}
@componentpublic class stringescapeeditor extends propertyeditorsupport { public stringescapeeditor() { super(); } @override public string getastext() { object value = getvalue(); return value != null ? value.tostring() : ""; } @override public void setastext(string text) { if (text == null) { setvalue(null); } else { string value = text; value = value.trim(); setvalue(value); } }}
@slf4j@componentpublic class commentwebbindinginitializer extends configurablewebbindinginitializer { private final stringescapeeditor stringescapeeditor; private final dateeditor dateeditor; @autowired public commentwebbindinginitializer(stringescapeeditor stringescapeeditor, dateeditor dateeditor) { this.stringescapeeditor = stringescapeeditor; this.dateeditor = dateeditor; } @override public void initbinder(webdatabinder binder) { log.info("init bind editor"); super.initbinder(binder); // 注册自定义的类型转换器 binder.registercustomeditor(date.class, dateeditor); binder.registercustomeditor(string.class, stringescapeeditor); }}
转义方法二：basecontroller需要xss防护的controller的需要继承该basecontroller
public class basecontroller { @autowired private stringescapeeditor stringescapeeditor; @initbinder public void initbinder(servletrequestdatabinder binder) { binder.registercustomeditor(string.class, stringescapeeditor); }}
转义方法三：converter@componentpublic class stringescapeeditor implements converter<string, string> { @override public string convert(string s) { return stringutils.isempty(s) ? s : htmlutils.htmlescape(s); } }
@configurationpublic class webmvcconfig implements webmvcconfigurer { @autowired private logininterceptor logininterceptor; @autowired private stringescapeeditor stringescapeeditor; /** * 在参数绑定时，自定义string->string的转换器， * 在转换逻辑中对参数值进行转义，从而达到防xss的效果 * * @param registry */ @override public void addformatters(formatterregistry registry) { registry.addconverter(stringescapeeditor); } @override public void addinterceptors(interceptorregistry registry) { registry.addinterceptor(logininterceptor) .addpathpatterns("/**") // 路径不包括contextpath部分 .excludepathpatterns("/user/login", "/user/logout", "/index/test1"); } /** * 前后端分离需要解决跨域问题 * * @param registry */ @override public void addcorsmappings(corsregistry registry) { registry.addmapping("/**") .allowedorigins("*") .allowedmethods("get", "post", "put", "options", "delete", "patch") .allowcredentials(true).maxage(3600); }}
以上就是springboot2.0防止xss攻击的方式有哪些的详细内容。