目录
1.概念
XSS:Cross Site Script ,为了区分css改写成xss,通过注入“HTML注入”,篡改了网页,插入了恶意脚本。
等到用户加载的时候就会自动执行恶意脚本,如果在浏览器上执行javacript就可以盗取Cookie或者Token
2.解决办法
1).设置过滤器
编写过滤器,拦截请求,把请求里面的数据进行转义
2).覆盖Http请求方法
在请求里面获取数据的时候,调用HttpServletRequest类中getParameter()方法和getParameterValues()方法,如果我们把这两个方法覆盖,返回数据的时候进行转译再返回
但是HttpServletRequest是接口,采用包装类的方式增加请求功能HttpServletRequestWrapper
3).HttpServletRequestWrapper
HttpServletRequestWrapper使用了装饰器模式
使用了装饰器模式,装饰器封装了厂家的Request的实现类,只要覆盖wrapper类的方法,就能做到覆盖厂商请求对象的方法
步骤;创建过滤器,把Request对象传入Wrapper对象
3.覆盖Http请求方法
导入依赖
<!-- 导入hutool工具包-->
<dependency>
<groupId>cn.hutool</groupId>
<artifactId>hutool-all</artifactId>
<version>5.4.0</version>
</dependency>
编写配置类
主要编写连个配置类
XssHttpServletRequestWrapper
import cn.hutool.core.util.StrUtil;
import cn.hutool.http.HtmlUtil;
import cn.hutool.json.JSONUtil;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.Charset;
import java.util.LinkedHashMap;
import java.util.Map;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
//进行转义
@Override
public String getParameter(String name) {
// 从请求中获取原始数据
String value = super.getParameter(name);
if(!StrUtil.hasEmpty(value)){
// 把标签变成文本
value= HtmlUtil.filter(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if(values!=null){
for (int i = 0; i < values.length; i++) {
String value=values[i];
if(!StrUtil.hasEmpty(value)){
value= HtmlUtil.filter(value);
}
values[i]=value;
}
}
return values;
}
@Override
public Map<String, String[]> getParameterMap() {
Map<String, String[]> paramters = super.getParameterMap();
// 使用hashMap插入的是乱序的,使用LinkdHasMap
LinkedHashMap<String, String[]> map=new LinkedHashMap();
if(paramters!=null){
for (String key:paramters.keySet()){
String[] values=paramters.get(key);
for (int i = 0; i < values.length; i++) {
String value=values[i];
if(!StrUtil.hasEmpty(value)){
value= HtmlUtil.filter(value);
}
values[i]=value;
}
map.put(key,values);
}
}
return map;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if(!StrUtil.hasEmpty(value)){
value = HtmlUtil.filter(value);
}
return value;
}
@Override
public ServletInputStream getInputStream() throws IOException {
InputStream in = super.getInputStream();
InputStreamReader reader=new InputStreamReader(in, Charset.forName("UTF-8"));
BufferedReader buffer = new BufferedReader(reader);
StringBuffer body = new StringBuffer();
String line=buffer.readLine();
while (line!=null){
body.append(line);
line=buffer.readLine();
}
buffer.close();
reader.close();
in.close();
// 把json格式转换成字符串
Map<String,Object> map=JSONUtil.parseObj(body.toString());
Map<String,Object> result=new LinkedHashMap<>();
for (String key : map.keySet()) {
Object val=map.get(key);
if(val instanceof String){
if(!StrUtil.hasEmpty( val.toString())){
result.put(key,HtmlUtil.filter(val.toString()));
}
}else {
result.put(key,val);
}
}
String json = JSONUtil.toJsonStr(result);
ByteArrayInputStream bain = new ByteArrayInputStream(json.getBytes());
return new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
// 方法用来读数据
@Override
public int read() throws IOException {
return bain.read();
}
};
}
}
XssFilter类
补充:Filter能再request到达servlet的服务方法前拦截HttpServletRequest对象,而在方法转移后又能拦截HttpServletResponse对象
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.logging.LogRecord;
@WebFilter(urlPatterns = "/*")
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
Filter.super.init(filterConfig);
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request=(HttpServletRequest)servletRequest;
XssHttpServletRequestWrapper wrapper=new XssHttpServletRequestWrapper(request);
filterChain.doFilter(wrapper,servletResponse);
}
@Override
public void destroy() {
Filter.super.destroy();
}
}
ps:在著启动类上要加@ServletComponentScan