spring mvc数据绑定时通过去除html标签防止js注入

现在做的项目之前没有考虑到js注入的问题，现在想通过在spring对数据进行绑定时，去除html标签来在后端防止js注入，首先先研读它的源码，我们大部分controller都是扩展MultiActionController这个类，用到的是bind(HttpServletRequest request, Object command)这个方法，它是通过调用createBinder方法创建ServletRequestDataBinder类来进行数据绑定，ServletRequestDataBinder类里面的getInternalBindingResult方法就是返回绑定的结果，我们可以在这方法里面加上自己的属性编辑器（扩展PropertyEditorSupport类）对参数进行处理，于是实现的步骤是：1、写个扩展PropertyEditorSupport类的字符串处理类 2、定义自定义ServletRequestDataBinder，重写getInternalBindingResult方法，3、扩展MultiActionController，重写createBinder方法。

1.StringEditor类

[java] view plain copy print ?

1. public class StringEditor extends PropertyEditorSupport{ 
2.  
3.   @Override 
4.   public void setAsText(String text) throws IllegalArgumentException { 
5.       if (text == null || (text = text.trim()).length() == 0) { 
6.           return; 
7.       } 
8.       try { 
9.         //去除html标签 
10.         String str = text.replaceAll("<[a-zA-Z]+[1-9]?[^><]*>", "")    
11.                          .replaceAll("</[a-zA-Z]+[1-9]?>", "");   
12.           setValue(str); 
13.       } catch (Exception e) { 
14.           throw new IllegalArgumentException(e); 
15.       } 
16.   } 
17. } 

public class StringEditor extends PropertyEditorSupport{

  @Override
  public void setAsText(String text) throws IllegalArgumentException {
      if (text == null || (text = text.trim()).length() == 0) {
          return;
      }
      try {
        //去除html标签
        String str = text.replaceAll("<[a-zA-Z]+[1-9]?[^><]*>", "")   
                         .replaceAll("</[a-zA-Z]+[1-9]?>", "");  
          setValue(str);
      } catch (Exception e) {
          throw new IllegalArgumentException(e);
      }
  }
}

2.CustomRequestDataBinder类

[java] view plain copy print ?

1. public class CustomRequestDataBinder extends ServletRequestDataBinder { 
2.  
3.   public CustomRequestDataBinder(Object target) { 
4.     super(target); 
5.   } 
6.  
7.   public CustomRequestDataBinder(Object target, String objectName) { 
8.     super(target, objectName); 
9.   } 
10.  
11.   @Override 
12.   protected AbstractPropertyBindingResult getInternalBindingResult() { 
13.       AbstractPropertyBindingResult bindingResult = super.getInternalBindingResult(); 
14.  
15.       PropertyEditorRegistry registry = bindingResult.getPropertyEditorRegistry(); 
16.       registry.registerCustomEditor(String.class, new StringEditor()); 
17.  
18.       return bindingResult; 
19.   } 
20. } 

public class CustomRequestDataBinder extends ServletRequestDataBinder {

  public CustomRequestDataBinder(Object target) {
    super(target);
  }

  public CustomRequestDataBinder(Object target, String objectName) {
    super(target, objectName);
  }

  @Override
  protected AbstractPropertyBindingResult getInternalBindingResult() {
      AbstractPropertyBindingResult bindingResult = super.getInternalBindingResult();

      PropertyEditorRegistry registry = bindingResult.getPropertyEditorRegistry();
      registry.registerCustomEditor(String.class, new StringEditor());

      return bindingResult;
  }
}

3.CustomMultiActionController 类

[java] view plain copy print ?

1. public class CustomMultiActionController extends MultiActionController{ 
2.    
3.   @Override 
4.   public ServletRequestDataBinder createBinder(HttpServletRequest request, Object command) throws Exception { 
5.     CustomRequestDataBinder binder = new CustomRequestDataBinder(command, getCommandName(command)); 
6.     initBinder(request, binder); 
7.     return binder; 
8.   } 
9. } 

public class CustomMultiActionController extends MultiActionController{
  
  @Override
  public ServletRequestDataBinder createBinder(HttpServletRequest request, Object command) throws Exception {
    CustomRequestDataBinder binder = new CustomRequestDataBinder(command, getCommandName(command));
    initBinder(request, binder);
    return binder;
  }
}

这样的话只要你的Controller扩展了CustomMultiActionController ，在进行数据绑定时就会把提交的数据中的html标签去除，如果某些属性需要有html标签的话就通过request.getParameter来获取没转换的数据。

这只是一个简单的例子，你还可以扩展其它的属性编辑器，比如时间格式的，在提交时统一把date转换为某种格式保存。