diff --git a/im-platform/src/main/java/com/bx/implatform/config/XssBodyConfig.java b/im-platform/src/main/java/com/bx/implatform/config/XssBodyConfig.java new file mode 100644 index 0000000..bddec47 --- /dev/null +++ b/im-platform/src/main/java/com/bx/implatform/config/XssBodyConfig.java @@ -0,0 +1,47 @@ +package com.bx.implatform.config; + +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.databind.DeserializationContext; +import com.fasterxml.jackson.databind.JsonDeserializer; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.module.SimpleModule; +import org.apache.commons.lang3.StringEscapeUtils; +import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; + +import javax.annotation.PostConstruct; +import java.io.IOException; + +@Configuration +public class XssBodyConfig { + + @Autowired + private ObjectMapper objectMapper; + + @PostConstruct + public void afterPropertiesSet() throws Exception { + SimpleModule simpleModule = new SimpleModule(); + simpleModule.addDeserializer(String.class, new JsonHtmlXssDeserializer()); + objectMapper.registerModule(simpleModule); + } + + + class JsonHtmlXssDeserializer extends JsonDeserializer { + + @Override + public Class handledType() { + return String.class; + } + + @Override + public String deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException { + String value = jsonParser.getValueAsString(); + if (StringUtils.isNotEmpty(value)) { + return StringEscapeUtils.escapeHtml4(value); + } + return value; + } + +} +} \ No newline at end of file diff --git a/im-platform/src/main/java/com/bx/implatform/filter/XssFilter.java b/im-platform/src/main/java/com/bx/implatform/filter/XssFilter.java new file mode 100644 index 0000000..d47c627 --- /dev/null +++ b/im-platform/src/main/java/com/bx/implatform/filter/XssFilter.java @@ -0,0 +1,28 @@ +package com.bx.implatform.filter; + +import org.springframework.boot.web.servlet.ServletComponentScan; +import org.springframework.stereotype.Component; + +import javax.servlet.*; +import javax.servlet.annotation.WebFilter; +import javax.servlet.http.HttpServletRequest; +import java.io.IOException; +import java.util.List; + +@Component +@ServletComponentScan +@WebFilter(urlPatterns = "/*",filterName = "xssFilter") +public class XssFilter implements Filter { + + @Override + public void init(FilterConfig filterConfig) {} + + @Override + public void destroy() {} + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); + } + +} \ No newline at end of file diff --git a/im-platform/src/main/java/com/bx/implatform/filter/XssHttpServletRequestWrapper.java b/im-platform/src/main/java/com/bx/implatform/filter/XssHttpServletRequestWrapper.java new file mode 100644 index 0000000..36ac7d6 --- /dev/null +++ b/im-platform/src/main/java/com/bx/implatform/filter/XssHttpServletRequestWrapper.java @@ -0,0 +1,47 @@ +package com.bx.implatform.filter; + +import cn.hutool.extra.servlet.ServletUtil; +import lombok.SneakyThrows; +import org.apache.commons.lang3.ArrayUtils; +import org.apache.commons.lang3.StringEscapeUtils; +import org.springframework.web.util.HtmlUtils; + +import javax.servlet.ReadListener; +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; +import java.io.BufferedReader; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStreamReader; + +public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { + + public XssHttpServletRequestWrapper(HttpServletRequest request) { + super(request); + } + + @Override + public String getQueryString() { + return StringEscapeUtils.escapeHtml4(super.getQueryString()); + } + + @Override + public String getParameter(String name) { + return StringEscapeUtils.escapeHtml4(super.getParameter(name)); + } + + @Override + public String[] getParameterValues(String name) { + String[] values = super.getParameterValues(name); + if (ArrayUtils.isEmpty(values)) { + return values; + } + int length = values.length; + String[] escapeValues = new String[length]; + for (int i = 0; i < length; i++) { + escapeValues[i] = StringEscapeUtils.escapeHtml4(values[i]); + } + return escapeValues; + } +}