主要有三种请求方式,进行过滤替换非法符号

1.普通的GET请求数据:

2.FORM表单提交数据:

3.Json格式数据提交:

把下面5个文件放入项目中即可

 package com.joppay.admin.security.xss;

 import org.springframework.util.StringUtils;

 import org.springframework.web.util.HtmlUtils;

 import javax.servlet.http.HttpServletRequest;

 import javax.servlet.http.HttpServletRequestWrapper;

 /**

  * XSS转义

  *

  * @author leroy

  * @date 2019/3/6 18:08

  */

 public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

     /**

      * Constructs a request object wrapping the given request.

      *

      * @param request The request to wrap

      * @throws IllegalArgumentException if the request is null

      */

     public XssHttpServletRequestWrapper(HttpServletRequest request) {

         super(request);

     }

     @Override

     public String getParameter(String name) {

         String value = super.getParameter(name);

         if (!StringUtils.isEmpty(value)) {

             value = HtmlUtils.htmlEscape(value);

         }

         return value;

     }

     @Override

     public String[] getParameterValues(String name) {

         String[] parameterValues = super.getParameterValues(name);

         if (parameterValues == null) {

             return null;

         }

         for (int i = 0; i < parameterValues.length; i++) {

             String value = parameterValues[i];

             parameterValues[i] = HtmlUtils.htmlEscape(value);

         }

         return parameterValues;

     }

 }
package com.joppay.admin.security.xss;

import com.fasterxml.jackson.databind.JavaType;

import com.fasterxml.jackson.databind.ObjectMapper;

import org.springframework.http.HttpInputMessage;

import org.springframework.http.converter.HttpMessageNotReadableException;

import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;

import java.io.IOException;

import java.lang.reflect.Type;

public class XSSMappingJackson2HttpMessageConverter extends

        MappingJackson2HttpMessageConverter {

    private ObjectMapper mapper = new ObjectMapper();

    public XSSMappingJackson2HttpMessageConverter() {

        super();

        mapper.getFactory().setCharacterEscapes(new HTMLCharacterEscapes());

    }

    @Override

    public Object read(Type type, Class<?> contextClass,

                       HttpInputMessage inputMessage) throws IOException,

            HttpMessageNotReadableException {

        JavaType javaType = getJavaType(type, contextClass);

        // 下面的程式碼 將 @RequestBody 中的資料 做 XSS過濾

        try {

            // json字串转实体

            Object object = mapper.readValue(inputMessage.getBody(), javaType);

            // 实体转字串

            String jsonString = mapper.writeValueAsString(object);

            // json字串转实体

            object = mapper.readValue(jsonString, javaType);

            return object;

        } catch (IOException ex) {

            throw new HttpMessageNotReadableException("Could not read JSON: " + ex.getMessage(), ex);

        }

    }

}
 package com.joppay.admin.security.xss;

 import com.fasterxml.jackson.core.JsonGenerator;

 import com.fasterxml.jackson.databind.JsonSerializer;

 import com.fasterxml.jackson.databind.SerializerProvider;

 import org.springframework.web.util.HtmlUtils;

 import java.io.IOException;

 /**

  * json XSS过滤(Form表单对象)

  * @author leroy

  * @date 2019/3/6 18:15

  */

 public class XssStringJsonSerializer extends JsonSerializer<String> {

     @Override

     public Class<String> handledType() {

         return String.class;

     }

     @Override

     public void serialize(String value, JsonGenerator jsonGenerator,

                           SerializerProvider serializerProvider) throws IOException {

         if (value != null) {

             String encodedValue = HtmlUtils.htmlEscape(value);

             jsonGenerator.writeString(encodedValue);

         }

     }

 }
package com.joppay.admin.security.xss;

import com.fasterxml.jackson.core.SerializableString;

import com.fasterxml.jackson.core.io.CharacterEscapes;

import com.fasterxml.jackson.core.io.SerializedString;

import org.apache.commons.lang3.StringEscapeUtils;

public class HTMLCharacterEscapes  extends CharacterEscapes {

    private final int[] asciiEscapes;

    public HTMLCharacterEscapes() {

        // start with set of characters known to require escaping (double-quote, backslash etc)

        asciiEscapes = CharacterEscapes.standardAsciiEscapesForJSON();

        // and force escaping of a few others:

        asciiEscapes['<'] = CharacterEscapes.ESCAPE_CUSTOM;

        asciiEscapes['>'] = CharacterEscapes.ESCAPE_CUSTOM;

        asciiEscapes['&'] = CharacterEscapes.ESCAPE_CUSTOM;

        asciiEscapes['"'] = CharacterEscapes.ESCAPE_CUSTOM;

        asciiEscapes['\''] = CharacterEscapes.ESCAPE_CUSTOM;

    }

    @Override

    public int[] getEscapeCodesForAscii() {

        return asciiEscapes;

    }

    // and this for others; we don't need anything special here

    @Override

    public SerializableString getEscapeSequence(int ch) {

        return new SerializedString(StringEscapeUtils.escapeHtml4(Character.toString((char) ch)));

    }

}
package com.joppay.admin.security.xss;

import com.fasterxml.jackson.databind.ObjectMapper;

import com.fasterxml.jackson.databind.module.SimpleModule;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Primary;

import org.springframework.core.annotation.Order;

import org.springframework.http.MediaType;

import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;

import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;

import org.springframework.stereotype.Component;

import javax.servlet.*;

import javax.servlet.annotation.WebFilter;

import javax.servlet.http.HttpServletRequest;

import java.io.IOException;

import java.util.ArrayList;

import java.util.List;

/**

 * XSS过滤

 *

 * @author leroy

 * @date 2019/3/6 18:13

 */

@WebFilter

@Component

public class XssFilter implements Filter {

    FilterConfig filterConfig = null;

    @Override

    public void init(FilterConfig filterConfig) throws ServletException {

        this.filterConfig = filterConfig;

    }

    @Override

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;

        XssHttpServletRequestWrapper xssRequestWrapper = new XssHttpServletRequestWrapper(req);

        chain.doFilter(xssRequestWrapper, response);

    }

    @Override

    public void destroy() {

        this.filterConfig = null;

    }

    @Bean

    public MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter() {

        return new XSSMappingJackson2HttpMessageConverter();

    }

    @Bean

    public XssStringJsonSerializer xssStringJsonSerializer(){

        return new XssStringJsonSerializer();

    }

}

防止XSS攻击的方式的更多相关文章

  1. WEB安全实战(五)XSS 攻击的第二种解决方式(推荐)

    序 说到 XSS 攻击,前边已经有两篇文章在讲这个事了,这次又拿出来说,主要是针对近期工作中的一些新的问题.那么之前是怎么解决问题的呢?为什么又要换解决方式?以下就具体的跟大家分享一下. 旧方案 公司 ...

  2. 拦截过滤防御XSS攻击 -- Struts2.3 以及 2.5 的解决方式

    使用Struts2框架开发的后台在防御XSS攻击的时候很多方式都不能用,因为Struts2对请求进行的二次封装有区别.以下针对Struts2的XSS攻击进行拦截过滤防御解决: Struts2.3 本方 ...

  3. 绕过用编码方式阻止XSS攻击的几个例子

    阻止攻击的常用方法是:在将HTML返回给Web浏览器之前,对攻击者输入的HTML进行编码.HTML编码使用一些没有特定HTML意义的字符来代替那些标记字符(如尖括号).这些替代字符不会影响文本在web ...

  4. 防御XSS攻击-encode用户输入内容的重要性

    一.开场先科普下XSS 跨站脚本攻击(Cross Site Scripting),为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS.恶 ...

  5. 前端XSS攻击和防御

    xss跨站脚本攻击(Cross Site Scripting),是一种经常出现在web应用中的计算机安全漏洞,指攻击者在网页中嵌入客户端脚本(例如JavaScript), 当用户浏览此网页时,脚本就会 ...

  6. XSS攻击及防御

    XSS又称CSS,全称Cross SiteScript,跨站脚本攻击,是Web程序中常见的漏洞,XSS属于被动式且用于客户端的攻击方式,所以容易被忽略其危害性.其原理是攻击者向有XSS漏洞的网站中输入 ...

  7. XSS攻击的解决方法

    在我上一篇<前端安全之XSS攻击>文中,并没有把XSS攻击的解决办法说完整,而XSS的攻击又那么五花八门,有没有一招“独孤九剑”能够抗衡,毕竟那么多情况场景,开发人员无法一一照顾过来,而今 ...

  8. 前端安全之XSS攻击

    XSS(cross-site scripting跨域脚本攻击)攻击是最常见的Web攻击,其重点是“跨域”和“客户端执行”.有人将XSS攻击分为三种,分别是: 1. Reflected XSS(基于反射 ...

  9. 利用Android的UXSS漏洞完成一次XSS攻击

    黑客攻击的方式思路是先搜集信息,定位漏洞,然后针对不同的漏洞采用不同的方式来黑掉你.下面用metasploit模拟一次跨站脚本攻击(黑掉自己的手机). 1.搜集信息 msf > search a ...

随机推荐

  1. Code Force 21B Intersection

    B. Intersection time limit per test1 second memory limit per test256 megabytes inputstandard input o ...

  2. However, a general purpose protocol or its implementation sometimes does not scale very well.

    https://netty.io/wiki/user-guide-for-4.x.html The Problem Nowadays we use general purpose applicatio ...

  3. 浏览器端js处理or直接冗余至服务器php处理?

    w交给客户端浏览器js处理,减少向服务器的提交字节.精简处理逻辑.

  4. 剑指Offer——孩子们的游戏(圆圈中最后剩下的数)

    题目描述: 每年六一儿童节,牛客都会准备一些小礼物去看望孤儿院的小朋友,今年亦是如此.HF作为牛客的资深元老,自然也准备了一些小游戏.其中,有个游戏是这样的:首先,让小朋友们围成一个大圈.然后,他随机 ...

  5. python手写bp神经网络实现人脸性别识别1.0

    写在前面:本实验用到的图片均来自google图片,侵删! 实验介绍 用python手写一个简单bp神经网络,实现人脸的性别识别.由于本人的机器配置比较差,所以无法使用网上很红的人脸大数据数据集(如lf ...

  6. H5移动端的一些坑、、、

    H5项目常见问题及注意事项 Meta基础知识: H5页面窗口自动调整到设备宽度,并禁止用户缩放页面 //一.HTML页面结构 <meta name="viewport" co ...

  7. C# 将 HTML 转换为图片或 PDF

    首先是把 HTML 转换为图片. public partial class Form1 : Form { public Form1() { InitializeComponent(); } WebBr ...

  8. idea打jar包-MapReduce作业提交到hadoop集群执行

    https://blog.csdn.net/jiaotangX/article/details/78661862 https://liushilang.iteye.com/blog/2093173

  9. mycat 指定mycat节点

    mycat 指定节点: /*!mycat:dataNode=order1*/select seq_nextval('APPOINTMENT_NO'); 指定节点创建存储过程或建表: /*!mycat: ...

  10. appium不同姿势安装

    一 桌面版(打开很慢,常用于辅助元素定位) 1.官网下载window版本: 2.直接点击图标即可打开