我是靠谱客的博主 发嗲小虾米,最近开发中收集的这篇文章主要介绍springboot 、springmvc 预防xss 攻击 自定义WebBindingInitializer 实现类,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.support.WebBindingInitializer;
import org.springframework.web.context.request.WebRequest;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
/**
* 全局请求参数绑定:
*
* 针对表单绑定参数处理
*
*/
@Configuration
public class MyWebBindingInitializer implements WebBindingInitializer {
private static final WebBindingInitializer webBindingInitializer = new MyWebBindingInitializer();
@Override
public void initBinder(WebDataBinder binder, WebRequest request) {
binder.registerCustomEditor(String.class, new StringEscapeEditor(true, true, false));
}
@Autowired
public void getWebBindingInitializer(RequestMappingHandlerAdapter requestMappingHandlerAdapter){
requestMappingHandlerAdapter.setWebBindingInitializer(webBindingInitializer);
}
}
import java.beans.PropertyEditorSupport;
import org.apache.commons.lang3.StringEscapeUtils;
public class StringEscapeEditor extends PropertyEditorSupport {
private boolean escapeHTML;
private boolean escapeJavaScript;
private boolean escapeSQL;
public StringEscapeEditor() {
super();
}
public StringEscapeEditor(boolean escapeHTML, boolean escapeJavaScript, boolean escapeSQL) {
super();
this.escapeHTML = escapeHTML;
this.escapeJavaScript = escapeJavaScript;
this.escapeSQL = escapeSQL;
}
@Override
public void setAsText(String text) {
if (text == null) {
setValue(null);
} else {
String value = text;
if (escapeHTML) {
value = StringEscapeUtils.escapeHtml3(value);
}
if (escapeJavaScript) {
value = this.escapeScript(value);
}
if (escapeSQL) {
value = this.escapeSql(value);
}
setValue(value);
}
}
@Override
public String getAsText() {
Object value = getValue();
return value != null ? value.toString() : "";
}
/**
* 剥离SQL注入部分代码
* @param value
* @return
*/
public String escapeSql(String value) {
return value.replaceAll("('.+--)|(--)|(\|)|(%7C)", "");
}
/**
* 剥离js注入
* @param value
* @return
*/
public String escapeScript(String value){
value = value.replace("script", "\script").replace("/script", "\/script");
return value;
}
}如果是springmvc 框架:
还需要在springMVC-servlet.xml文件里面进行配置,且去掉
@Configuration注解
springMVC-servlet 配置:
<!-- 防止xss攻击 自定义 WebBindingInitializer-->
<bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
<property name="cacheSeconds" value="0"/>
<property name="webBindingInitializer">
<bean class="com.wphk.filter.MyWebBindingInitializer"/>
</property>
</bean>最后
以上就是发嗲小虾米为你收集整理的springboot 、springmvc 预防xss 攻击 自定义WebBindingInitializer 实现类的全部内容,希望文章能够帮你解决springboot 、springmvc 预防xss 攻击 自定义WebBindingInitializer 实现类所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复