SpringBoot+Xss过滤（@RequestBody参数过滤Xss）

记一次SpringBoot+Xss过滤

XssFilter过滤器

import org.springframework.stereotype.Component;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import com.jfinal.kit.StrKit;

/**
 * @ProjectName: smt
 * @ClassName:
 * @Description:
 * @Author: yue zhenbin
 * @Date: 2021/7/7 9:16
 */
@Component
@WebFilter(urlPatterns = "/*", filterName = "xssFilter")
public class XssFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        String contentType = request.getContentType();
        if (StrKit.notBlank(contentType) && contentType.contains("multipart/form-data")) {//对图片上传不进行xss过滤
            chain.doFilter(request, response);
        }else {
            XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
            chain.doFilter(xssRequest, response);
        }

    }
    @Override
    public void destroy() {}
}

XssHttpServletRequestWrapper过滤规则类

主要针对@RequestBody进行的参数过滤

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.Charset;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;


import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Document.OutputSettings;
import org.jsoup.safety.Whitelist;
import org.springframework.util.StreamUtils;

import com.alibaba.fastjson.JSONObject;

/**
 * XSS过滤处理
 *
 * @author ruoyi
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    //使用basic()
    private static final Whitelist whitelist = createWhitelist();

    private static final OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);

    private byte[] requestBody;
    private Charset charSet;

    private static Whitelist createWhitelist() {
        return Whitelist.basic();
    }

    private static String filter(String value) {
        if(value!=null) {
            value = Jsoup.clean(value, "", whitelist, outputSettings).trim();
        }
        return value;
    }

    /**
     *
     * @param request
     */
    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        //缓存请求body
        try {
            String requestBodyStr = getRequestPostStr(request);
            requestBodyStr=filterBadString(requestBodyStr);
            if (StringUtils.isNotBlank(requestBodyStr)) {
                requestBodyStr=filter(requestBodyStr);
                JSONObject resultJson = JSONObject.parseObject(requestBodyStr);
                requestBody = resultJson.toString().getBytes(charSet);
            } else {
                requestBody = new byte[0];
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    /**
     * 获取POST请求体中数据
     * @param request
     * @return
     * @throws IOException
     */
    public String getRequestPostStr(HttpServletRequest request)
            throws IOException {
        String charSetStr = request.getCharacterEncoding();
        if (charSetStr == null) {
            charSetStr = "UTF-8";
        }
        charSet = Charset.forName(charSetStr);

        return StreamUtils.copyToString(request.getInputStream(), charSet);
    }

    @Override
    public ServletInputStream getInputStream() {
        if (requestBody == null) {
            requestBody = new byte[0];
        }

        final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(requestBody);

        return new ServletInputStream() {
            @Override
            public boolean isFinished() {
                return false;
            }
            @Override
            public boolean isReady() {
                return false;
            }
            @Override
            public void setReadListener(ReadListener readListener) {
            }
            @Override
            public int read() {
                return byteArrayInputStream.read();
            }
        };
    }

    /**
     * 特殊字符过滤
     *
     * @param value
     * @return
     */
    private  static String filterBadString(String value) {

        String REP_TIPS = "BadParamter";

        value = value.replaceAll("select", REP_TIPS);

        value = value.replaceAll("SELECT", REP_TIPS);

        value = value.replaceAll("insert", REP_TIPS);

        value = value.replaceAll("INSERT", REP_TIPS);

        value = value.replaceAll("delete", REP_TIPS);

        value = value.replaceAll("DELETE", REP_TIPS);

        value = value.replaceAll("update", REP_TIPS);

        value = value.replaceAll("UPDATE", REP_TIPS);

        value = value.replaceAll("script", REP_TIPS);

        value = value.replaceAll(">", REP_TIPS);

        value = value.replaceAll("<", REP_TIPS);

        value = value.replaceAll("=", REP_TIPS);

        value = value.replaceAll("@", REP_TIPS);
        return value;
    }
}

启动类需添加Servlet扫描：@ServletComponentScan(“com.xxx.smt.config.XssFilter”)

所需要的依赖：

<dependency>
            <groupId>org.jsoupgroupId>
            <artifactId>jsoupartifactId>
            <version>1.10.2version>
        dependency>
        <dependency>
            <groupId>org.apache.commonsgroupId>
            <artifactId>commons-lang3artifactId>
        dependency>
        
        <dependency>
            <groupId>com.jfinalgroupId>
            <artifactId>jfinalartifactId>
            <version>2.2version>
        dependency>
        <dependency>
	       <groupId>com.jfinalgroupId>
	       <artifactId>cosartifactId>
	       <version>26Dec2008version>
        dependency>