import org.owasp.esapi.ESAPI;
import org.owasp.esapi.codecs.HTMLCodec;

// 自定義過濾器示例
public class XssFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        if (!(request instanceof HttpServletRequest) || !(response instanceof HttpServletResponse)) {
            throw new ServletException("XssFilter just supports HTTP requests");
        }

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        // 對請求參數(shù)進(jìn)行過濾
        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(httpRequest);
        chain.doFilter(xssRequest, response);

        // 對響應(yīng)內(nèi)容進(jìn)行轉(zhuǎn)義（可選，根據(jù)具體需求實(shí)現(xiàn)）
        // 這里可以通過自定義的XssHttpServletResponseWrapper來實(shí)現(xiàn)，但示例中未展示
    }

    // 初始化、銷毀方法省略...
}

// 自定義XssHttpServletRequestWrapper類，用于包裝HttpServletRequest并過濾參數(shù)
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
    }

    @Override
    public String getParameter(String name) {
        String value = super.getParameter(name);
        if (value != null) {
            value = ESAPI.encoder().canonicalize(value);
            // 進(jìn)一步清理潛在的XSS攻擊內(nèi)容，如移除<script>標(biāo)簽等
            value = value.replaceAll("<script>(.*?)</script>", "");
            // 可添加更多清理規(guī)則...
        }
        return value;
    }

    // 可重寫更多方法以支持對請求頭、請求體等的過濾...
}

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.util.HtmlUtils;

@RestController
public class MyController {

    @GetMapping("/safeOutput")
    public String safeOutput(@RequestParam String userInput) {
        // 對用戶輸入進(jìn)行HTML編碼后再輸出
        String safeInput = HtmlUtils.htmlEscape(userInput);
        return "Safe output: " + safeInput;
    }
}

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .csrf().disable() // 根據(jù)需要啟用或禁用CSRF保護(hù)
            .authorizeHttpRequests(authorizeRequests ->
                authorizeRequests
                    .anyRequest().authenticated() // 示例規(guī)則，可根據(jù)需要調(diào)整
            )
            .httpBasic(withDefaults()) // 示例認(rèn)證方式，可根據(jù)需要調(diào)整
            .addFilterBefore(new XssFilter(), CsrfFilter.class); // 添加自定義的XssFilter到安全鏈中

        return http.build();
    }
}

<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
    <title>Safe Output</title>
</head>
<body>
    <p th:text="${userInput}">User Input</p> <!-- Thymeleaf會自動對userInput進(jìn)行HTML轉(zhuǎn)義 -->
</body>
</html>

import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class SecurityHeadersFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        if (response instanceof HttpServletResponse) {
            HttpServletResponse httpResponse = (HttpServletResponse) response;
            // 設(shè)置X-XSS-Protection響應(yīng)頭
            httpResponse.setHeader("X-XSS-Protection", "1; mode=block");
            // 可設(shè)置更多安全響應(yīng)頭...
        }
        chain.doFilter(request, response);
    }

    // 初始化、銷毀方法省略...
}

import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class FilterConfig {

    @Bean
    public FilterRegistrationBean<SecurityHeadersFilter> securityHeadersFilter() {
        FilterRegistrationBean<SecurityHeadersFilter> registrationBean = new FilterRegistrationBean<>();
        registrationBean.setFilter(new SecurityHeadersFilter());
        registrationBean.addUrlPatterns("/*");
        return registrationBean;
    }
}