JarCasting
JarCasting JarCasting

common-xss

req通过getParameter、getParameterValues获取值,json形式body,转成对象时,xss过滤

License

License
GroupId

GroupId

kim.hanjie.common
ArtifactId

ArtifactId

common-xss
Last Version

Last Version

1.0.0
Release Date

Release Date
Type

Type

jar
Description

Description

common-xss
req通过getParameter、getParameterValues获取值,json形式body,转成对象时,xss过滤
Project URL

Project URL

https://github.com/shanehan/common-xss
Source Code Management

Source Code Management

https://github.com/shanehan/common-xss

Download common-xss

Filename Size
common-xss-1.0.0.pom
common-xss-1.0.0.jar 5 KB
common-xss-1.0.0-sources.jar 4 KB
common-xss-1.0.0-javadoc.jar 34 KB
Browse

How to add to project

<!-- https://jarcasting.com/artifacts/kim.hanjie.common/common-xss/ -->
<dependency>
    <groupId>kim.hanjie.common</groupId>
    <artifactId>common-xss</artifactId>
    <version>1.0.0</version>
</dependency>
// https://jarcasting.com/artifacts/kim.hanjie.common/common-xss/
implementation 'kim.hanjie.common:common-xss:1.0.0'
// https://jarcasting.com/artifacts/kim.hanjie.common/common-xss/
implementation ("kim.hanjie.common:common-xss:1.0.0")
'kim.hanjie.common:common-xss:jar:1.0.0'
<dependency org="kim.hanjie.common" name="common-xss" rev="1.0.0">
  <artifact name="common-xss" type="jar" />
</dependency>
@Grapes(
@Grab(group='kim.hanjie.common', module='common-xss', version='1.0.0')
)
libraryDependencies += "kim.hanjie.common" % "common-xss" % "1.0.0"
[kim.hanjie.common/common-xss "1.0.0"]

Dependencies

compile (1)

Group / Artifact Type Version
org.apache.commons : commons-text jar 1.9

provided (2)

Group / Artifact Type Version
javax.servlet : javax.servlet-api jar 4.0.0
com.fasterxml.jackson.core : jackson-databind jar 2.11.4

Project Modules

There are no modules declared in this project.

common-xss

req通过getParameter、getParameterValues获取值,json形式body,转成对象时,xss过滤

原理

使用StringEscapeUtils中的escapeHtml4来转换html的特殊字符,防止xss攻击

使用

    <dependency>
        <groupId>kim.hanjie.common</groupId>
        <artifactId>common-xss</artifactId>
        <version>1.0.0</version>
    </dependency>

filter使用

@Configuration
public class FilterConfiguration {
    @Bean
    public FilterRegistrationBean<XssFilter> xssFilterFilterRegistration() {
        FilterRegistrationBean<XssFilter> registration = new FilterRegistrationBean<>();
        registration.setFilter(new XssFilter());
        registration.addUrlPatterns("/*");
        registration.setName("xssFilter");
        return registration;
    }
}

XssStringJsonDeserializer使用

@Configuration
public class JacksonConvertersConfiguration {
    @Bean
    @Primary
    ObjectMapper jacksonObjectMapper(Jackson2ObjectMapperBuilder builder) {
        Jackson2ObjectMapperBuilder xmlMapper = builder.createXmlMapper(false);
        xmlMapper.serializationInclusion(JsonInclude.Include.NON_NULL);
        // 设置 String的deserializer Type为XssStringJsonDeserializer
        builder.deserializerByType(String.class, new XssStringJsonDeserializer());
        return xmlMapper.build();
    }
}

例外

对于一些不需要xss处理的文本,如果富文本内容,则可以使用StringEscapeUtils.unescapeHtml4转回来
对于向富文本这种,可以通过Jsoup.clean()方法来获取安全的富文本内容

    <dependency>
        <groupId>org.jsoup</groupId>
        <artifactId>jsoup</artifactId>
        <version>1.13.1</version>
    </dependency>

Versions

Version
1.0.0