1、定义Xss工具类
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class XssUtils {
private XssUtils() {
}
private static final Pattern[] PATTERNS = {
// Avoid anything in a <script> type of expression
Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
// Avoid anything in a src='...' type of expression
Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Remove any lonesome </script> tag
Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
// Avoid anything in a <iframe> type of expression
Pattern.compile("<iframe>(.*?)</iframe>", Pattern.CASE_INSENSITIVE),
// Remove any lonesome <script ...> tag
Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Remove any lonesome <img ...> tag
Pattern.compile("<img(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Avoid expressions
Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Avoid expressions
Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Avoid ... expressions
Pattern.compile("", Pattern.CASE_INSENSITIVE),
// Avoid ... expressions
Pattern.compile("", Pattern.CASE_INSENSITIVE),
// Avoid οnlοad= expressions
Pattern.compile("on(load|error|mouseover|submit|reset|focus|click)(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)
};
public static String stripXSS(String value) {
return stripXSS(null, value);
}
public static String stripXSS(String key, String value) {
if (StringUtils.isEmpty(value)) {
return value;
}
for (Pattern scriptPattern : PATTERNS) {
Matcher matcher = scriptPattern.matcher(value);
if (matcher.matches()) {
// 直接抛出异常处理 - 推荐
String msg = key == null ? "" : "字段:" + key + ",";
throw new RuntimeException(msg + "存在非法关键字符");
}
// 直接过虑xss关键词
// value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
}
2、定义AOP
在AOP中,设置Controller所在包为切入点,对所有经过的请求进行Xss验证
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONObject;
import com.alibaba.fastjson.TypeReference;
import com.lhz.common.utils.XssUtils;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.aspectj.lang.annotation.Pointcut;
import org.springframework.stereotype.Component;
import java.util.HashMap;
@Component
@Aspect
public class XssParamAspect {
// org.project.controller为包名称
@Pointcut("execution(* org.project.controller..*.*(..))")
public void xssPoint() {
}
@Before("xssPoint()")
public void paramValid(JoinPoint point) {
Object[] args = point.getArgs();
for (Object o : args) {
if (o instanceof Number) {
continue;
} else if (o instanceof String) {
XssUtils.stripXSS(o.toString());
} else {
String paramStr = JSON.toJSONString(o);
// 使用fastjson将请求的参数转换为map
HashMap<String, Object> map = JSONObject.parseObject(paramStr, new TypeReference<HashMap<String, Object>>() {
});
map.forEach((k, v) -> {
if (v instanceof String) {
XssUtils.stripXSS(k, v.toString());
}
});
System.out.println(map);
}
}
}
}
--end--