-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathxss.html
126 lines (117 loc) · 37.9 KB
/
xss.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>XSS跨站脚本攻击处理 | spring-boot-plus</title>
<meta name="description" content="spring-boot-plus XSS(Cross Site Scripting)跨站脚本攻击处理">
<link rel="icon" href="/favicon.ico">
<script>var _hmt = _hmt || []; (function() {var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?f5cf3abbd62a6b246284fc0259a2a17d"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script>
<script>console.log("%c _ _ _ _\n (_) | | | | | |\n ___ _ __ _ __ _ _ __ __ _ ______| |__ ___ ___ | |_ ______ _ __ | |_ _ ___\n / __| '_ \\| '__| | '_ \\ / _` |______| '_ \\ / _ \\ / _ \\| __|______| '_ \\| | | | / __|\n \\__ \\ |_) | | | | | | | (_| | | |_) | (_) | (_) | |_ | |_) | | |_| \\__ \\\n |___/ .__/|_| |_|_| |_|\\__, | |_.__/ \\___/ \\___/ \\__| | .__/|_|\\__,_|___/\n | | __/ | | |\n |_| |___/ |_|","color:blue");</script>
<script>console.log("%c :: Spring Boot :: (v2.2.0.RELEASE)","color:blue");console.log("%c :: Spring Boot Plus :: (v1.4.0)","color:blue");console.log("%c :: spring-boot-plus :: https://springboot.plus","color:blue");</script>
<script>console.log("%cWelcome to spring-boot-plus","color:blue");console.log("%cGITHUB:https://github.com/geekidea/spring-boot-plus","color:blue");console.log("%cGITEE:https://gitee.com/geekidea/spring-boot-plus","color:blue");console.log("%cBlog:https://geekidea.io","color:blue");console.log("%cWebsite:https://springboot.plus","color:blue");</script>
<meta name="keywords" content="springboot,springbootplus,xss,跨站脚本攻击处理,Cross Site Scripting">
<link rel="preload" href="/assets/css/0.styles.6625b277.css" as="style"><link rel="preload" href="/assets/js/app.db17a95a.js" as="script"><link rel="preload" href="/assets/js/2.6d1275ea.js" as="script"><link rel="preload" href="/assets/js/60.9ac1ad41.js" as="script"><link rel="prefetch" href="/assets/js/10.5be2a980.js"><link rel="prefetch" href="/assets/js/11.9362ee1a.js"><link rel="prefetch" href="/assets/js/12.e856ce33.js"><link rel="prefetch" href="/assets/js/13.8548df14.js"><link rel="prefetch" href="/assets/js/14.d421edbb.js"><link rel="prefetch" href="/assets/js/15.aa803848.js"><link rel="prefetch" href="/assets/js/16.1f82aa42.js"><link rel="prefetch" href="/assets/js/17.b76ebf7e.js"><link rel="prefetch" href="/assets/js/18.7c403e8a.js"><link rel="prefetch" href="/assets/js/19.85862406.js"><link rel="prefetch" href="/assets/js/20.50118e6e.js"><link rel="prefetch" href="/assets/js/21.6ecbad1e.js"><link rel="prefetch" href="/assets/js/22.04150677.js"><link rel="prefetch" href="/assets/js/23.31e42250.js"><link rel="prefetch" href="/assets/js/24.62d268d4.js"><link rel="prefetch" href="/assets/js/25.bc860894.js"><link rel="prefetch" href="/assets/js/26.3d26b5e3.js"><link rel="prefetch" href="/assets/js/27.8e7349c7.js"><link rel="prefetch" href="/assets/js/28.4c239e18.js"><link rel="prefetch" href="/assets/js/29.aaac18de.js"><link rel="prefetch" href="/assets/js/3.54236c22.js"><link rel="prefetch" href="/assets/js/30.9db4eedc.js"><link rel="prefetch" href="/assets/js/31.e2f591b8.js"><link rel="prefetch" href="/assets/js/32.6f75b9c1.js"><link rel="prefetch" href="/assets/js/33.fdd459fb.js"><link rel="prefetch" href="/assets/js/34.7c8a0eef.js"><link rel="prefetch" href="/assets/js/35.8ad0c5f3.js"><link rel="prefetch" href="/assets/js/36.8e373213.js"><link rel="prefetch" href="/assets/js/37.95287516.js"><link rel="prefetch" href="/assets/js/38.282f1db3.js"><link rel="prefetch" href="/assets/js/39.34f2b25f.js"><link rel="prefetch" href="/assets/js/4.337abf8d.js"><link rel="prefetch" href="/assets/js/40.ba84faba.js"><link rel="prefetch" href="/assets/js/41.6a8df5b8.js"><link rel="prefetch" href="/assets/js/42.02bc737b.js"><link rel="prefetch" href="/assets/js/43.5b34dcc0.js"><link rel="prefetch" href="/assets/js/44.d430d71d.js"><link rel="prefetch" href="/assets/js/45.eaa465f2.js"><link rel="prefetch" href="/assets/js/46.11cd0dc4.js"><link rel="prefetch" href="/assets/js/47.65a87e15.js"><link rel="prefetch" href="/assets/js/48.250dd2e3.js"><link rel="prefetch" href="/assets/js/49.5d4f098b.js"><link rel="prefetch" href="/assets/js/5.76db1105.js"><link rel="prefetch" href="/assets/js/50.bb697104.js"><link rel="prefetch" href="/assets/js/51.5f6f5b65.js"><link rel="prefetch" href="/assets/js/52.a73139ed.js"><link rel="prefetch" href="/assets/js/53.4d2c7093.js"><link rel="prefetch" href="/assets/js/54.23543b0e.js"><link rel="prefetch" href="/assets/js/55.5f10a002.js"><link rel="prefetch" href="/assets/js/56.90a14ce0.js"><link rel="prefetch" href="/assets/js/57.d16f247e.js"><link rel="prefetch" href="/assets/js/58.9477625f.js"><link rel="prefetch" href="/assets/js/59.b90e777a.js"><link rel="prefetch" href="/assets/js/6.7b498927.js"><link rel="prefetch" href="/assets/js/61.76ce5abb.js"><link rel="prefetch" href="/assets/js/7.c2acd43f.js"><link rel="prefetch" href="/assets/js/8.39f782cd.js"><link rel="prefetch" href="/assets/js/9.241eeeec.js">
<link rel="stylesheet" href="/assets/css/0.styles.6625b277.css">
</head>
<body>
<div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="sidebar-button"><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" role="img" viewBox="0 0 448 512" class="icon"><path fill="currentColor" d="M436 124H12c-6.627 0-12-5.373-12-12V80c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12zm0 160H12c-6.627 0-12-5.373-12-12v-32c0-6.627 5.373-12 12-12h424c6.627 0 12 5.373 12 12v32c0 6.627-5.373 12-12 12z"></path></svg></div> <a href="/" class="home-link router-link-active"><!----> <span class="site-name">spring-boot-plus</span></a> <div class="links"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><div class="nav-item"><a href="/guide/" class="nav-link router-link-active">指南</a></div><div class="nav-item"><a href="/config/" class="nav-link">配置</a></div><div class="nav-item"><a href="https://github.com/geekidea/spring-boot-plus/blob/master/CHANGELOG.md" target="_blank" rel="noopener noreferrer" class="nav-link external">
更新日志
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><a href="http://geekidea.io/spring-boot-plus-apidocs/" target="_blank" rel="noopener noreferrer" class="nav-link external">
Java Api
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><a href="http://47.105.159.10/api/docs" target="_blank" rel="noopener noreferrer" class="nav-link external">
Swagger
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><a href="http://47.105.159.10/api" target="_blank" rel="noopener noreferrer" class="nav-link external">
后端演示
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><a href="http://47.105.159.10" target="_blank" rel="noopener noreferrer" class="nav-link external">
前端演示
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title">Languages</span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="/guide/xss.html" class="nav-link router-link-exact-active router-link-active">简体中文</a></li><li class="dropdown-item"><!----> <a href="/en/guide/xss.html" class="nav-link">English</a></li></ul></div></div> <a href="https://github.com/geekidea/spring-boot-plus" target="_blank" rel="noopener noreferrer" class="repo-link">
GitHub
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></nav></div></header> <div class="sidebar-mask"></div> <aside class="sidebar"><nav class="nav-links"><div class="nav-item"><a href="/guide/" class="nav-link router-link-active">指南</a></div><div class="nav-item"><a href="/config/" class="nav-link">配置</a></div><div class="nav-item"><a href="https://github.com/geekidea/spring-boot-plus/blob/master/CHANGELOG.md" target="_blank" rel="noopener noreferrer" class="nav-link external">
更新日志
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><a href="http://geekidea.io/spring-boot-plus-apidocs/" target="_blank" rel="noopener noreferrer" class="nav-link external">
Java Api
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><a href="http://47.105.159.10/api/docs" target="_blank" rel="noopener noreferrer" class="nav-link external">
Swagger
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><a href="http://47.105.159.10/api" target="_blank" rel="noopener noreferrer" class="nav-link external">
后端演示
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><a href="http://47.105.159.10" target="_blank" rel="noopener noreferrer" class="nav-link external">
前端演示
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></div><div class="nav-item"><div class="dropdown-wrapper"><a class="dropdown-title"><span class="title">Languages</span> <span class="arrow right"></span></a> <ul class="nav-dropdown" style="display:none;"><li class="dropdown-item"><!----> <a href="/guide/xss.html" class="nav-link router-link-exact-active router-link-active">简体中文</a></li><li class="dropdown-item"><!----> <a href="/en/guide/xss.html" class="nav-link">English</a></li></ul></div></div> <a href="https://github.com/geekidea/spring-boot-plus" target="_blank" rel="noopener noreferrer" class="repo-link">
GitHub
<svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></a></nav> <ul class="sidebar-links"><li><section class="sidebar-group depth-0"><p class="sidebar-heading"><span>快速入门</span> <!----></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/guide/" class="sidebar-link">简介</a></li><li><a href="/guide/quick-start.html" class="sidebar-link">快速开始</a></li><li><a href="/guide/project-config.html" class="sidebar-link">配置文件</a></li><li><a href="/guide/tree.html" class="sidebar-link">目录结构</a></li><li><a href="/guide/deploy.html" class="sidebar-link">运维部署</a></li></ul></section></li><li><section class="sidebar-group depth-0"><p class="sidebar-heading open"><span>核心功能</span> <!----></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/guide/generator.html" class="sidebar-link">生成CRUD代码</a></li><li><a href="/guide/springbootadmin.html" class="sidebar-link">Spring Boot Admin</a></li><li><a href="/guide/centos-deploy.html" class="sidebar-link">CentOS发布</a></li><li><a href="/guide/upload-download-resource.html" class="sidebar-link">文件上传/下载/静态资源访问</a></li><li><a href="/guide/shiro-jwt.html" class="sidebar-link">Shiro+JWT权限管理</a></li><li><a href="/guide/rbac.html" class="sidebar-link">RBAC用户角色权限</a></li><li><a href="/guide/cors.html" class="sidebar-link">CORS跨域处理</a></li><li><a href="/guide/xss.html" class="active sidebar-link">XSS跨站脚本攻击处理</a><ul class="sidebar-sub-headers"><li class="sidebar-sub-header"><a href="/guide/xss.html#处理方法" class="sidebar-link">处理方法</a></li><li class="sidebar-sub-header"><a href="/guide/xss.html#后台处理" class="sidebar-link">后台处理</a></li><li class="sidebar-sub-header"><a href="/guide/xss.html#总结" class="sidebar-link">总结</a></li></ul></li></ul></section></li><li><section class="sidebar-group depth-0"><p class="sidebar-heading"><span>FAQ</span> <!----></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/guide/faq.html" class="sidebar-link">FAQ</a></li><li><a href="/guide/idea-spring-boot-plus.html" class="sidebar-link">IDEA导入spring-boot-plus</a></li><li><a href="/guide/eclipse-spring-boot-plus.html" class="sidebar-link">Eclipse导入spring-boot-plus</a></li><li><a href="/guide/swagger-scan-package.html" class="sidebar-link">Swagger扫描多个包</a></li><li><a href="/guide/oracle.html" class="sidebar-link">spring-boot-plus使用Oracle配置</a></li><li><a href="/guide/sqlserver.html" class="sidebar-link">spring-boot-plus使用SQLServer配置</a></li><li><a href="/guide/contact.html" class="sidebar-link">QQ技术交流群</a></li><li><a href="/guide/donate.html" class="sidebar-link">赞赏支持</a></li></ul></section></li></ul> </aside> <main class="page"> <div class="theme-default-content content__default"><h1 id="xss跨站脚本攻击处理"><a href="#xss跨站脚本攻击处理" aria-hidden="true" class="header-anchor">#</a> XSS跨站脚本攻击处理</h1> <blockquote><p>XSS:Cross Site Scripting</p></blockquote> <ul><li>跨站脚本攻击(XSS),是目前最普遍的Web应用安全漏洞。这类漏洞能够使得攻击者嵌入恶意脚本代码到正常用户会访问到的页面中,当正常用户访问该页面时,则可导致嵌入的恶意脚本代码的执行,从而达到恶意攻击用户的目的。</li></ul> <h2 id="处理方法"><a href="#处理方法" aria-hidden="true" class="header-anchor">#</a> 处理方法</h2> <blockquote><p>将参数中的特殊字符进行转换</p></blockquote> <ul><li>例如 input参数值,用户输入为:</li></ul> <div class="language-text extra-class"><pre class="language-text"><code><script>alert(1);</script>
</code></pre></div><ul><li>处理后为:</li></ul> <div class="language-text extra-class"><pre class="language-text"><code>&lt;script&gt;alert(1);&lt;/script&gt;
</code></pre></div><h2 id="后台处理"><a href="#后台处理" aria-hidden="true" class="header-anchor">#</a> 后台处理</h2> <h3 id="pom-xml依赖"><a href="#pom-xml依赖" aria-hidden="true" class="header-anchor">#</a> pom.xml依赖</h3> <blockquote><p>使用 <code>commons-text</code>包中的<code>StringEscapeUtils.escapeHtml4();</code>方法</p></blockquote> <div class="language-xml extra-class"><pre class="language-xml"><code><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>dependency</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>groupId</span><span class="token punctuation">></span></span>org.apache.commons<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>groupId</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>artifactId</span><span class="token punctuation">></span></span>commons-text<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>artifactId</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span>version</span><span class="token punctuation">></span></span>1.8<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>version</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>dependency</span><span class="token punctuation">></span></span>
</code></pre></div><h3 id="xsshttpservletrequestwrapper"><a href="#xsshttpservletrequestwrapper" aria-hidden="true" class="header-anchor">#</a> XssHttpServletRequestWrapper</h3> <blockquote><p>对<code>HttpServletRequest</code> 对象的请求参数进行处理</p></blockquote> <div class="language-java extra-class"><pre class="language-java"><code><span class="token keyword">public</span> <span class="token keyword">class</span> <span class="token class-name">XssHttpServletRequestWrapper</span> <span class="token keyword">extends</span> <span class="token class-name">HttpServletRequestWrapper</span> <span class="token punctuation">{</span>
<span class="token keyword">public</span> <span class="token class-name">XssHttpServletRequestWrapper</span><span class="token punctuation">(</span><span class="token class-name">HttpServletRequest</span> request<span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">super</span><span class="token punctuation">(</span>request<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token class-name">String</span> <span class="token function">getQueryString</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">return</span> <span class="token class-name">StringEscapeUtils</span><span class="token punctuation">.</span><span class="token function">escapeHtml4</span><span class="token punctuation">(</span><span class="token keyword">super</span><span class="token punctuation">.</span><span class="token function">getQueryString</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token class-name">String</span> <span class="token function">getParameter</span><span class="token punctuation">(</span><span class="token class-name">String</span> name<span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">return</span> <span class="token class-name">StringEscapeUtils</span><span class="token punctuation">.</span><span class="token function">escapeHtml4</span><span class="token punctuation">(</span><span class="token keyword">super</span><span class="token punctuation">.</span><span class="token function">getParameter</span><span class="token punctuation">(</span>name<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token class-name">String</span><span class="token punctuation">[</span><span class="token punctuation">]</span> <span class="token function">getParameterValues</span><span class="token punctuation">(</span><span class="token class-name">String</span> name<span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token class-name">String</span><span class="token punctuation">[</span><span class="token punctuation">]</span> values <span class="token operator">=</span> <span class="token keyword">super</span><span class="token punctuation">.</span><span class="token function">getParameterValues</span><span class="token punctuation">(</span>name<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token class-name">ArrayUtils</span><span class="token punctuation">.</span><span class="token function">isEmpty</span><span class="token punctuation">(</span>values<span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token keyword">return</span> values<span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">int</span> length <span class="token operator">=</span> values<span class="token punctuation">.</span>length<span class="token punctuation">;</span>
<span class="token class-name">String</span><span class="token punctuation">[</span><span class="token punctuation">]</span> escapeValues <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">String</span><span class="token punctuation">[</span>length<span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token keyword">for</span> <span class="token punctuation">(</span><span class="token keyword">int</span> i <span class="token operator">=</span> <span class="token number">0</span><span class="token punctuation">;</span> i <span class="token operator"><</span> length<span class="token punctuation">;</span> i<span class="token operator">++</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
escapeValues<span class="token punctuation">[</span>i<span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token class-name">StringEscapeUtils</span><span class="token punctuation">.</span><span class="token function">escapeHtml4</span><span class="token punctuation">(</span>values<span class="token punctuation">[</span>i<span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token keyword">return</span> escapeValues<span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre></div><h3 id="xssfilter"><a href="#xssfilter" aria-hidden="true" class="header-anchor">#</a> XssFilter</h3> <blockquote><p>使用<code>WebFilter</code>注解,拦截所有请求,过滤请求参数</p></blockquote> <div class="language-java extra-class"><pre class="language-java"><code><span class="token annotation punctuation">@Slf4j</span>
<span class="token annotation punctuation">@WebFilter</span><span class="token punctuation">(</span>filterName <span class="token operator">=</span> <span class="token string">"xssFilter"</span><span class="token punctuation">,</span> urlPatterns <span class="token operator">=</span> <span class="token string">"/*"</span><span class="token punctuation">,</span> asyncSupported <span class="token operator">=</span> <span class="token boolean">true</span><span class="token punctuation">)</span>
<span class="token keyword">public</span> <span class="token keyword">class</span> <span class="token class-name">XssFilter</span> <span class="token keyword">implements</span> <span class="token class-name">Filter</span> <span class="token punctuation">{</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">void</span> <span class="token function">doFilter</span><span class="token punctuation">(</span><span class="token class-name">ServletRequest</span> servletRequest<span class="token punctuation">,</span> <span class="token class-name">ServletResponse</span> servletResponse<span class="token punctuation">,</span> <span class="token class-name">FilterChain</span> filterChain<span class="token punctuation">)</span> <span class="token keyword">throws</span> <span class="token class-name">IOException</span><span class="token punctuation">,</span> <span class="token class-name">ServletException</span> <span class="token punctuation">{</span>
<span class="token class-name">HttpServletRequest</span> request <span class="token operator">=</span> <span class="token punctuation">(</span><span class="token class-name">HttpServletRequest</span><span class="token punctuation">)</span> servletRequest<span class="token punctuation">;</span>
<span class="token class-name">XssHttpServletRequestWrapper</span> xssHttpServletRequestWrapper <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token class-name">XssHttpServletRequestWrapper</span><span class="token punctuation">(</span>request<span class="token punctuation">)</span><span class="token punctuation">;</span>
filterChain<span class="token punctuation">.</span><span class="token function">doFilter</span><span class="token punctuation">(</span>xssHttpServletRequestWrapper<span class="token punctuation">,</span> servletResponse<span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre></div><h3 id="启动类添加-servletcomponentscan注解"><a href="#启动类添加-servletcomponentscan注解" aria-hidden="true" class="header-anchor">#</a> 启动类添加@ServletComponentScan注解</h3> <blockquote><p>扫描使用servlet注解的类,启用 XssFilter</p></blockquote> <div class="language-java extra-class"><pre class="language-java"><code><span class="token annotation punctuation">@ServletComponentScan</span>
</code></pre></div><h3 id="json字符串请求参数处理"><a href="#json字符串请求参数处理" aria-hidden="true" class="header-anchor">#</a> JSON字符串请求参数处理</h3> <blockquote><p>实现Jackson反序列化方法,将参数值转义处理</p></blockquote> <div class="language-java extra-class"><pre class="language-java"><code><span class="token keyword">public</span> <span class="token keyword">class</span> <span class="token class-name">XssJacksonDeserializer</span> <span class="token keyword">extends</span> <span class="token class-name">JsonDeserializer</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> <span class="token punctuation">{</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token class-name">String</span> <span class="token function">deserialize</span><span class="token punctuation">(</span><span class="token class-name">JsonParser</span> jsonParser<span class="token punctuation">,</span> <span class="token class-name">DeserializationContext</span> deserializationContext<span class="token punctuation">)</span> <span class="token keyword">throws</span> <span class="token class-name">IOException</span><span class="token punctuation">,</span> <span class="token class-name">JsonProcessingException</span> <span class="token punctuation">{</span>
<span class="token keyword">return</span> <span class="token class-name">StringEscapeUtils</span><span class="token punctuation">.</span><span class="token function">escapeHtml4</span><span class="token punctuation">(</span>jsonParser<span class="token punctuation">.</span><span class="token function">getText</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre></div><h3 id="json字符串响应结果处理"><a href="#json字符串响应结果处理" aria-hidden="true" class="header-anchor">#</a> JSON字符串响应结果处理</h3> <blockquote><p>实现Jackson序列化方法,将参数值转义处理</p></blockquote> <div class="language-java extra-class"><pre class="language-java"><code><span class="token annotation punctuation">@Slf4j</span>
<span class="token keyword">public</span> <span class="token keyword">class</span> <span class="token class-name">XssJacksonSerializer</span> <span class="token keyword">extends</span> <span class="token class-name">JsonSerializer</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> <span class="token punctuation">{</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">void</span> <span class="token function">serialize</span><span class="token punctuation">(</span><span class="token class-name">String</span> s<span class="token punctuation">,</span> <span class="token class-name">JsonGenerator</span> jsonGenerator<span class="token punctuation">,</span> <span class="token class-name">SerializerProvider</span> serializerProvider<span class="token punctuation">)</span> <span class="token keyword">throws</span> <span class="token class-name">IOException</span> <span class="token punctuation">{</span>
jsonGenerator<span class="token punctuation">.</span><span class="token function">writeString</span><span class="token punctuation">(</span><span class="token class-name">StringEscapeUtils</span><span class="token punctuation">.</span><span class="token function">escapeHtml4</span><span class="token punctuation">(</span>s<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre></div><h3 id="重点,jackson配置xss"><a href="#重点,jackson配置xss" aria-hidden="true" class="header-anchor">#</a> 重点,Jackson配置Xss</h3> <div class="language-java extra-class"><pre class="language-java"><code><span class="token annotation punctuation">@Configuration</span>
<span class="token keyword">public</span> <span class="token keyword">class</span> <span class="token class-name">JacksonConfig</span> <span class="token keyword">implements</span> <span class="token class-name">WebMvcConfigurer</span> <span class="token punctuation">{</span>
<span class="token annotation punctuation">@Override</span>
<span class="token keyword">public</span> <span class="token keyword">void</span> <span class="token function">extendMessageConverters</span><span class="token punctuation">(</span><span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">HttpMessageConverter</span><span class="token punctuation"><</span><span class="token operator">?</span><span class="token punctuation">></span><span class="token punctuation">></span></span> converters<span class="token punctuation">)</span> <span class="token punctuation">{</span>
<span class="token comment">// code...</span>
<span class="token comment">// XSS序列化</span>
simpleModule<span class="token punctuation">.</span><span class="token function">addSerializer</span><span class="token punctuation">(</span><span class="token class-name">String</span><span class="token punctuation">.</span><span class="token keyword">class</span><span class="token punctuation">,</span> <span class="token keyword">new</span> <span class="token class-name">XssJacksonSerializer</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
simpleModule<span class="token punctuation">.</span><span class="token function">addDeserializer</span><span class="token punctuation">(</span><span class="token class-name">String</span><span class="token punctuation">.</span><span class="token keyword">class</span><span class="token punctuation">,</span> <span class="token keyword">new</span> <span class="token class-name">XssJacksonDeserializer</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token comment">// code...</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre></div><h2 id="总结"><a href="#总结" aria-hidden="true" class="header-anchor">#</a> 总结</h2> <blockquote><p>实现字符串转义的核心方法:</p></blockquote> <ul><li><code>org.apache.commons.text.StringEscapeUtils</code></li></ul> <div class="language-java extra-class"><pre class="language-java"><code><span class="token class-name">StringEscapeUtils</span><span class="token punctuation">.</span><span class="token function">escapeHtml4</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre></div></div> <footer class="page-edit"><div class="edit-link"><a href="https://github.com/geekidea/spring-boot-plus-doc/edit/master/guide/xss.md" target="_blank" rel="noopener noreferrer">在 GitHub 上编辑此页</a> <svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg></div> <!----></footer> <div class="page-nav"><p class="inner"><span class="prev">
←
<a href="/guide/cors.html" class="prev">CORS跨域处理</a></span> <span class="next"><a href="/guide/faq.html">FAQ</a>→
</span></p></div> </main></div><div class="global-ui"></div></div>
<script src="/assets/js/app.db17a95a.js" defer></script><script src="/assets/js/2.6d1275ea.js" defer></script><script src="/assets/js/60.9ac1ad41.js" defer></script>
</body>
</html>