Python 官方文档:入门教程 => 点击学习
目录防止XSS攻击,一般有两种做法:转义 做法的三种实现:转义方法一:注册自定义转换器转义方法二:BaseController转义方法三:Converter在平时做项目代码开发的时候
在平时做项目代码开发的时候,很容易忽视XSS攻击的防护,网上有很多自定义全局拦截器来实现XSS过滤,其实不需要这么麻烦,SpringBoot留有不少钩子(扩展点),据此我们可以巧妙地实现全局的XSS过滤
过滤
将敏感标签去除
jsoup实现了非常强大的clean敏感标签的功能
自定义转换器,集成PropertyEditorSupport类实现,转换器还可以实现数据格式转换,例如:date的转换;
@Component
public class DateEditor extends PropertyEditorSupport {
Pattern pattern = Pattern.compile("[^0-9]");
@Override
public void setAsText(String text) throws IllegalArgumentException {
if (StrUtil.isBlank(text)) {
return;
}
text = text.trim();
Matcher matcher = pattern.matcher(text);
text = matcher.replaceAll("");
int length = text.length();
Date date;
switch (length) {
case 14:
date = DateTime.parse(text, DateTimeFORMat.forPattern("yyyyMMddHHmmss")).toDate();
break;
case 12:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHHmm")).toDate();
break;
case 10:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMddHH")).toDate();
break;
case 8:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMMdd")).toDate();
break;
case 6:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyyMM")).toDate();
break;
case 4:
date = DateTime.parse(text, DateTimeFormat.forPattern("yyyy")).toDate();
break;
default:
return;
}
setValue(date);
}
}@Component
public class StringEscapeEditor extends PropertyEditorSupport {
public StringEscapeEditor() {
super();
}
@Override
public String getAsText() {
Object value = getValue();
return value != null ? value.toString() : "";
}
@Override
public void setAsText(String text) {
if (text == null) {
setValue(null);
} else {
String value = text;
value = value.trim();
setValue(value);
}
}
}@Slf4j
@Component
public class CommentWEBBindingInitializer extends ConfigurableWebBindingInitializer {
private final StringEscapeEditor stringEscapeEditor;
private final DateEditor dateEditor;
@Autowired
public CommentWebBindingInitializer(StringEscapeEditor stringEscapeEditor, DateEditor dateEditor) {
this.stringEscapeEditor = stringEscapeEditor;
this.dateEditor = dateEditor;
}
@Override
public void initBinder(WebDataBinder binder) {
log.info("init bind editor");
super.initBinder(binder);
// 注册自定义的类型转换器
binder.reGISterCustomEditor(Date.class, dateEditor);
binder.registerCustomEditor(String.class, stringEscapeEditor);
}
}需要XSS防护的Controller的需要继承该BaseController
public class BaseController {
@Autowired
private StringEscapeEditor stringEscapeEditor;
@InitBinder
public void initBinder(ServletRequestDataBinder binder) {
binder.registerCustomEditor(String.class, stringEscapeEditor);
}
}@Component
public class StringEscapeEditor implements Converter<String, String> {
@Override
public String convert(String s) {
return StringUtils.isEmpty(s) ? s : HtmlUtils.htmlEscape(s);
}
}
@Configuration
public class WebmvcConfig implements WebMvcConfigurer {
@Autowired
private LoginInterceptor loginInterceptor;
@Autowired
private StringEscapeEditor stringEscapeEditor;
@Override
public void addFormatters(FormatterRegistry registry) {
registry.addConverter(StringEscapeEditor);
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(loginInterceptor)
.addPathPatterns("
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("*")
.allowedMethods("GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH")
.allowCredentials(true).maxAge(3600);
}
}到此这篇关于浅谈springboot2.0防止XSS攻击的几种方式的文章就介绍到这了,更多相关Springboot防止XSS攻击内容请搜索编程网以前的文章或继续浏览下面的相关文章希望大家以后多多支持编程网!
--结束END--
本文标题: 浅谈Springboot2.0防止XSS攻击的几种方式
本文链接: https://lsjlt.com/news/171773.html(转载时请注明来源链接)
有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
2024-03-01
2024-03-01
2024-03-01
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
2024-02-29
回答
回答
回答
回答
回答
回答
回答
回答
回答
回答
官方手机版
微信公众号
商务合作
0