feat: 提供[预防XSS攻击]功能

Author: GitSuperDrew

mpdemo/pom.xml

@@ -44,6 +44,12 @@
             <artifactId>lombok</artifactId>
             <optional>true</optional>
         </dependency>
+        <!--jsoup-->
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.13.1</version>
+        </dependency>
         <dependency>
             <groupId>cn.hutool</groupId>
             <artifactId>hutool-all</artifactId>

mpdemo/src/main/java/com/jiangfeixiang/mpdemo/springbootmp/controller/DemoTestController.java

@@ -0,0 +1,31 @@
+package com.jiangfeixiang.mpdemo.springbootmp.controller;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author zl
+ * @date 2022-07-04 17:53
+ */
+@RestController
+@RequestMapping(value = "/test")
+public class DemoTestController {
+
+    /**
+     * 测试 预防XSS攻击效果演示
+     * <pre>
+     *     http://localhost:8889/test/xss?htmlStr=<a href="www.baidu.com" onclick="alert(1);">baidu.com</a><script>alert(1);</script>
+     *     http://localhost:8889/test/xss?htmlStr=<img width="200px" onerr="alert(1);"/>
+     * </pre>
+     *
+     * @param htmlStr 带有脚本的字符串内容
+     * @return 剔除脚本的字符
+     */
+    @GetMapping(value = "/xss")
+    public String testXss(@RequestParam(value = "htmlStr") String htmlStr) {
+        System.out.println("xss-html: \n" + htmlStr);
+        return htmlStr;
+    }
+}

mpdemo/src/main/java/com/jiangfeixiang/mpdemo/springbootmp/util/xss/HtmlFilter.java

@@ -0,0 +1,118 @@
+package com.jiangfeixiang.mpdemo.springbootmp.util.xss;
+
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.safety.Whitelist;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * HTML 元素过滤器
+ *
+ * @author zl
+ */
+public class HtmlFilter {
+
+    /**
+     * 默认使用relaxed()
+     * 允许的标签: a, b, blockquote, br, caption, cite, code, col, colgroup, dd, dl, dt, em, h1, h2, h3, h4, h5, h6, i, img, li, ol, p, pre, q, small, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, u, ul。
+     * 结果不包含标签rel=nofollow ，如果需要可以手动添加。
+     */
+    private Whitelist whiteList;
+
+
+    /**
+     * 配置过滤化参数,不对代码进行格式化
+     */
+    private Document.OutputSettings outputSettings;
+
+
+    private HtmlFilter() {
+    }
+
+    /**
+     * 静态创建HtmlFilter方法
+     *
+     * @param whiteList 白名单标签
+     * @param pretty    是否格式化
+     * @return HtmlFilter
+     */
+    public static HtmlFilter create(Whitelist whiteList, boolean pretty) {
+        HtmlFilter filter = new HtmlFilter();
+        if (whiteList == null) {
+            filter.whiteList = Whitelist.relaxed();
+        }
+        filter.outputSettings = new Document.OutputSettings().prettyPrint(pretty);
+        return filter;
+    }
+
+    /**
+     * 静态创建HtmlFilter方法
+     *
+     * @return HtmlFilter
+     */
+    public static HtmlFilter create() {
+        return create(null, false);
+    }
+
+    /**
+     * 静态创建HtmlFilter方法
+     *
+     * @param whiteList 白名单标签
+     * @return HtmlFilter
+     */
+    public static HtmlFilter create(Whitelist whiteList) {
+        return create(whiteList, false);
+    }
+
+    /**
+     * 静态创建HtmlFilter方法
+     *
+     * @param excludeTags 例外的特定标签
+     * @param includeTags 需要过滤的特定标签
+     * @param pretty      是否格式化
+     * @return HtmlFilter
+     */
+    public static HtmlFilter create(List<String> excludeTags, List<String> includeTags, boolean pretty) {
+        HtmlFilter filter = create(null, pretty);
+        //要过滤的标签
+        if (includeTags != null && !includeTags.isEmpty()) {
+            String[] tags = (String[]) includeTags.toArray(new String[0]);
+            filter.whiteList.removeTags(tags);
+        }
+        //例外标签
+        if (excludeTags != null && !excludeTags.isEmpty()) {
+            String[] tags = (String[]) excludeTags.toArray(new String[0]);
+            filter.whiteList.addTags(tags);
+        }
+        return filter;
+    }
+
+
+    /**
+     * 静态创建HtmlFilter方法
+     *
+     * @param excludeTags 例外的特定标签
+     * @param includeTags 需要过滤的特定标签
+     * @return HtmlFilter
+     */
+    public static HtmlFilter create(List<String> excludeTags, List<String> includeTags) {
+        return create(includeTags, excludeTags, false);
+    }
+
+    /**
+     * @param content 需要过滤内容
+     * @return 过滤后的String
+     */
+    public String clean(String content) {
+        return Jsoup.clean(content, "", this.whiteList, this.outputSettings);
+
+    }
+
+    // 测试：使用 Jsoup 剔除对应的脚本（即 jsoup的规则只允许指定的富文本标签通过）
+    public static void main(String[] args) throws IOException {
+        String text = "<a href=\"http://www.baidu.com/a\" onclick=\"alert(1);\"></a><script>alert(0);</script><b style=\"xxx\" onclick=\"<script>alert(0);</script>\">abc</>";
+        System.out.println(HtmlFilter.create().clean(text));
+    }
+}

mpdemo/src/main/java/com/jiangfeixiang/mpdemo/springbootmp/util/xss/XssFilter.java

@@ -0,0 +1,110 @@
+package com.jiangfeixiang.mpdemo.springbootmp.util.xss;
+
+import org.apache.commons.lang3.StringUtils;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * XSS 过滤器
+ *
+ * @author zl
+ */
+public class XssFilter implements Filter {
+    /**
+     * 例外urls
+     */
+    private List<String> excludeUrls = new ArrayList<>();
+
+    /**
+     * 例外标签
+     */
+    private List<String> excludeTags = new ArrayList<>();
+
+    /**
+     * 需要过滤标签
+     */
+    private List<String> includeTags = new ArrayList<>();
+
+    /**
+     * 开关
+     */
+    public boolean enabled = false;
+
+    /**
+     * 编码
+     */
+    private String encoding = "UTF-8";
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        String enabledStr = filterConfig.getInitParameter("enabled");
+        String excludeUrlStr = filterConfig.getInitParameter("urlPatterns");
+        String excludeTagStr = filterConfig.getInitParameter("excludes");
+        String includeTagStr = filterConfig.getInitParameter("includes");
+        String encodingStr = filterConfig.getInitParameter("encoding");
+
+        if (StringUtils.isNotEmpty(excludeUrlStr)) {
+            String[] url = excludeUrlStr.split(",");
+            Collections.addAll(this.excludeUrls, url);
+        }
+
+        if (StringUtils.isNotEmpty(excludeTagStr)) {
+            String[] url = excludeTagStr.split(",");
+            Collections.addAll(this.excludeTags, url);
+        }
+
+        if (StringUtils.isNotEmpty(includeTagStr)) {
+            String[] url = includeTagStr.split(",");
+            Collections.addAll(this.includeTags, url);
+        }
+
+        if (StringUtils.isNotEmpty(enabledStr)) {
+            this.enabled = Boolean.parseBoolean(enabledStr);
+        }
+
+        if (StringUtils.isNotEmpty(encodingStr)) {
+            this.encoding = encodingStr;
+        }
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletRequest req = (HttpServletRequest) request;
+        HttpServletResponse resp = (HttpServletResponse) response;
+        if (handleExcludeUrls(req, resp)) {
+            chain.doFilter(request, response);
+            return;
+        }
+
+        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request, encoding, excludeTags, includeTags);
+        chain.doFilter(xssRequest, response);
+
+    }
+
+    private boolean handleExcludeUrls(HttpServletRequest request, HttpServletResponse response) {
+        if (!enabled) {
+            return true;
+        }
+        if (excludeUrls == null || excludeUrls.isEmpty()) {
+            return false;
+        }
+        String url = request.getServletPath();
+        for (String pattern : excludeUrls) {
+            Pattern p = Pattern.compile("^" + pattern);
+            Matcher m = p.matcher(url);
+            if (m.find()) {
+                return true;
+            }
+        }
+        return false;
+    }
+}

mpdemo/src/main/java/com/jiangfeixiang/mpdemo/springbootmp/util/xss/XssFilterConfig.java

@@ -0,0 +1,42 @@
+package com.jiangfeixiang.mpdemo.springbootmp.util.xss;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import javax.servlet.DispatcherType;
+import java.util.HashMap;
+import java.util.Map;
+
+@Configuration
+public class XssFilterConfig {
+
+    @Value("${xss.enabled:true}")
+    private String enabled;
+
+    @Value("${xss.excludes:}")
+    private String excludes;
+
+    @Value("${xss.includes$:}")
+    private String includes;
+
+    @Value("${xss.urlPatterns:/*}")
+    private String urlPatterns;
+
+    @Bean
+    public FilterRegistrationBean<XssFilter> xssFilterRegistrationBean() {
+        FilterRegistrationBean<XssFilter> registration = new FilterRegistrationBean<>();
+        registration.setDispatcherTypes(DispatcherType.REQUEST);
+        registration.setFilter(new XssFilter());
+        registration.addUrlPatterns(urlPatterns.split(","));
+        registration.setName("XssFilter");
+        registration.setOrder(Integer.MAX_VALUE);
+        Map<String, String> initParameters = new HashMap<>(3);
+        initParameters.put("excludes", excludes);
+        initParameters.put("includes", includes);
+        initParameters.put("enabled", enabled);
+        registration.setInitParameters(initParameters);
+        return registration;
+    }
+}