SpringMVC如何有效的防止XSS注入

1、重写XssHttpServletRequestWrapper中的方法：import javax.servlet.http.HttpServletRequest;import javax.s髫潋啜缅ervlet.http.HttpServletRequestWrapper;import org.springframework.web.util.HtmlUtils;/*** XSS* @author xieshangzhen**/public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) { super(servletRequest); } public String[] getParameterValues(String parameter) { String[] values = super.getParameterValues(parameter); if (values == null) return null; int count = values.length; String[] encodedValues = new String[count]; for (int i = 0; i < count; i++) { encodedValues[i] = cleanXSS(values[i]); } return encodedValues; } public String getParameter(String parameter) { String value = super.getParameter(parameter); if (value == null) return null; return cleanXSS(value); } public String getHeader(String name) { String value = super.getHeader(name); if (value == null) return null; return cleanXSS(value); } //这里可以自己实现转义，也可以直接用工具类进行转义，比如说org.apache.common.lang.StringEscapeUtils和org.springframework.web.util.HtmlUtils private String cleanXSS(String value) { /*StringBuilder buffer = new StringBuilder(value.length() + 16); for (int i = 0; i < value.length(); i++) { char c = value.charAt(i); switch (c) { case '>': buffer.append(">");// 转义大于号 break; case '<': buffer.append("<");// 转义小于号 break; case '\'': buffer.append("'");// 转义单引号 break; case '\"': buffer.append("\""); // 转义双引号 break; case '&': buffer.append("&");// 转义& break; default: buffer.append(c); break; } } return buffer.toString();*/ //直接用spring的HtmlUtils 进行html转义 if (value != null) { value = HtmlUtils.htmlEscape(value); } return value; }

2、写个拦截器，对请求进行拦截过滤：import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;/*** XSS 过滤器* @author xieshangzhen**/public class XssFilter implements Filter { FilterConfig filterConfig = null; public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } public void destroy() { this.filterConfig = null; } //对request进行包装 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); }}

3、在web.xml中配置拦截器，对所有的请求进行过滤：<filter> <filter-name>xssFilter</filter-name> <filter-class>com.xsz.xss.XssFilter</filter-class> </filter> <filter-mapping> <filter-name>xssFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>