全网解决XSS漏洞都是让你重写一个 request,或者又教你 写MessageConverter,但是项目中用到了shiro,所以重写request和shrio冲突,因为shiro 也重写了request,MessageConverter又只支持application/json方式提交的,普通的form提交没球用。
最终解决方案为:使用自定义转换器,当是set string的时候走我们自己写的一段代码来处理string。
public class XSSStringEditor extends PropertyEditorSupport implements WebBindingInitializer {
/**
* @see java.beans.PropertyEditorSupport#setAsText(java.lang.String)
*/
@Override
public void setAsText(String text) throws IllegalArgumentException {
String formBody= Jsoup.clean(text, Whitelist.relaxed().addAttributes(":all", "style"));
setValue(formBody);
}
/**
* @see java.beans.PropertyEditorSupport#getAsText()
*/
@Override
public String getAsText() {
return getValue()==null?null : ConverterUtils.toString(getValue());
}
@Override
public void initBinder(WebDataBinder binder, WebRequest request) {
binder.registerCustomEditor(String.class, this);
}
}
@Configuration
public class SafeConfig {
@Autowired
public void setWebBindingInitializer(RequestMappingHandlerAdapter requestMappingHandlerAdapter) {
requestMappingHandlerAdapter.setWebBindingInitializer(new XSSStringEditor());
}
}