0.注意:此方法只针对controller 中有明确参数名的参数有效,对于从httpservletrequest中取出来的参数不起作用【典型例如固件上传,从request中取出参数就不进行验证】
1.简述问题
- 前后空格
- 非法字符
- XSS注入
2. 问题产生的途径
- HTML页面参数提交
- APP参数提交
- Excel数据导入
3. 处理问题
对于提交的参数可以简单的在filter中统一处理,而Excel导入数据则在处理Excel文档时处理。
3.1 封装非法字符处理方法
public static String handleIllegalCharacter(String s) {
if (StringUtils.isEmpty(s)) {
return s;
}
// 前后空格
s = s.trim();
//去除:空格\s,回车\n,水平制表符即tab \t,换行\r
Pattern p = Pattern.compile("\\s|\n|\t|\r");
Matcher m = p.matcher(s);
s = m.replaceAll("");
// Excel文档中非法字符
if (s.contains("\u202C")) {
s = s.replace("\u202C", "").trim();
}
if (s.contains("\u202D")) {
s = s.replace("\u202D", "").trim();
}
if (s.contains("\u202E")) {
s = s.replace("\u202E", "").trim();
}
s = HtmlUtils.htmlEscape(s, "UTF-8");
s = JavaScriptUtils.javaScriptEscape(s);
return s;
}
\u202C,\u202D,\u202E是Excel文档中的非法字符,怀疑和Excel文档格式有关。 HtmlUtils.htmlEscapeDecimal(String input, String encoding)和JavaScriptUtils.javaScriptEscape(String input)调用的是spring-web中的方法。
3.2 filter处理提交参数
在filter中对所有提交参数做处理
package com.bugull.farm.core.filter;
import com.bugull.farm.core.utils.StringUtil;
import org.apache.commons.lang3.ArrayUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @author wangdi
* @date 2017/12/19
*/
public class EmptyStringTrimFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException {
filterChain.doFilter(new TrimEmptyStringRequest(request), response);
}
private String trimEmptyString(String value) {
return StringUtil.handleIllegalCharacter(value);
}
class TrimEmptyStringRequest extends HttpServletRequestWrapper {
/**
* Constructs a request object wrapping the given request.
*
* @param request
* @throws IllegalArgumentException if the request is null
*/
public TrimEmptyStringRequest(HttpServletRequest request) {
super(request);
}
@Override
public String[] getParameterValues(String name) {
String[] parameterValues = super.getParameterValues(name);
if (ArrayUtils.isNotEmpty(parameterValues)) {
for (int i = 0; i < parameterValues.length; i++) {
parameterValues[i] = trimEmptyString(parameterValues[i]);
}
}
return parameterValues;
}
}
}
3.2.1 XML配置filter
<filter>
<filter-name>emptyStringTrimFilter</filter-name>
<filter-class>com.bugull.farm.web.filter.EmptyStringTrimFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>emptyStringTrimFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.2.2 Java Config配置filter
@Configuration
@Log4j2
public class WebConfig implements WebMvcConfigurer {
@Bean
public FilterRegistrationBean filterRegistrationBean() {
log.info("Initializing EmptyStringTrimFilter");
FilterRegistrationBean<Filter> filterFilterRegistrationBean = new FilterRegistrationBean<>();
filterFilterRegistrationBean.addUrlPatterns("/*");
filterFilterRegistrationBean.setName("emptyStringTrimFilter");
filterFilterRegistrationBean.setFilter(new EmptyStringTrimFilter());
return filterFilterRegistrationBean;
}
}
3.3 Excel文档处理
同样的在处理Excel文档时调用StringUtil.handleIllegalCharacter(String s)方法即可