req通过getParameter、getParameterValues获取值,json形式body,转成对象时,xss过滤
使用StringEscapeUtils中的escapeHtml4来转换html的特殊字符,防止xss攻击
<dependency>
<groupId>kim.hanjie.common</groupId>
<artifactId>common-xss</artifactId>
<version>1.0.0</version>
</dependency>@Configuration
public class FilterConfiguration {
@Bean
public FilterRegistrationBean<XssFilter> xssFilterFilterRegistration() {
FilterRegistrationBean<XssFilter> registration = new FilterRegistrationBean<>();
registration.setFilter(new XssFilter());
registration.addUrlPatterns("/*");
registration.setName("xssFilter");
return registration;
}
}@Configuration
public class JacksonConvertersConfiguration {
@Bean
@Primary
ObjectMapper jacksonObjectMapper(Jackson2ObjectMapperBuilder builder) {
Jackson2ObjectMapperBuilder xmlMapper = builder.createXmlMapper(false);
xmlMapper.serializationInclusion(JsonInclude.Include.NON_NULL);
// 设置 String的deserializer Type为XssStringJsonDeserializer
builder.deserializerByType(String.class, new XssStringJsonDeserializer());
return xmlMapper.build();
}
}对于一些不需要xss处理的文本,如果富文本内容,则可以使用StringEscapeUtils.unescapeHtml4转回来
对于向富文本这种,可以通过Jsoup.clean()方法来获取安全的富文本内容
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.13.1</version>
</dependency>