springBoot集成jsoup解決安全漏洞之XSS注入攻擊問題

更新時間：2025年06月24日 09:55:07 作者：yololee_

這篇文章主要介紹了springBoot集成jsoup解決安全漏洞之XSS注入攻擊問題,具有很好的參考價值,希望對大家有所幫助,如有錯誤或未考慮完全的地方,望不吝賜教

跨站點(diǎn)腳本編制

風(fēng)險：可能會竊取或操縱客戶會話和 cookie，它們可能用于模仿合法用戶，從而使黑客能夠以該用戶身份查看或變更用戶記錄以及執(zhí)行事務(wù)。
原因：未對用戶輸入正確執(zhí)行危險字符清理
固定值：查看危險字符注入的可能解決方案

一、依賴

        <dependency>
            <groupId>org.jsoup</groupId>
            <artifactId>jsoup</artifactId>
            <version>1.11.3</version>
        </dependency>

二、自定義過濾器

XSS過濾處理邏輯

package com.yolo.springboot.kaptcha.filter;

import lombok.extern.slf4j.Slf4j;
import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

/**
 * XSS過濾處理
 */
@Slf4j
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    public XssHttpServletRequestWrapper(HttpServletRequest request)
    {
        super(request);
    }

    /**
     * 獲取頭部參數(shù)
     * @param v 參數(shù)值
     */
    @Override
    public String getHeader(String v) {
        String header = super.getHeader(v);
        if (header == null || "".equals(header)) {
            return header;
        }
        return Jsoup.clean(super.getHeader(v), Whitelist.relaxed());
    }

    /**
     * 獲取參數(shù)
     * @param v 參數(shù)值
     */
    @Override
    public String getParameter(String v) {
        String param = super.getParameter(v);
        if (param == null || "".equals(param)) {
            return param;
        }
        return Jsoup.clean(super.getParameter(v), Whitelist.relaxed());
    }

    /**
     * 獲取參數(shù)值
     * @param v 參數(shù)值
     */
    @Override
    public String[] getParameterValues(String v) {
        String[] values = super.getParameterValues(v);
        if (values == null) {
            return values;
        }
        int length = values.length;
        String[] resultValues = new String[length];
        for (int i = 0; i < length; i++) {
            // 過濾特殊字符
            resultValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim();
            if (!(resultValues[i]).equals(values[i])) {
                log.debug("XSS過濾器 => 過濾前：{} => 過濾后：{}", values[i], resultValues[i]);
            }
        }
        return resultValues;
    }
}

防止XSS攻擊的過濾器

package com.yolo.springboot.kaptcha.filter;

import org.apache.commons.lang3.StringUtils;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * @ClassName XssFilter
 * @Description 防止XSS攻擊的過濾器
 * @Author hl
 * @Date 2022/12/7 10:07
 * @Version 1.0
 */
public class XssFilter implements Filter {

    /**
     * 排除鏈接
     */
    public List<String> noFilterUrls = new ArrayList<>();

    /**
     * xss過濾開關(guān)
     */
    public boolean enabled = true;


    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        // 從過濾器配置中獲取initParams參數(shù)
        String noFilterUrl = filterConfig.getInitParameter("noFilterUrl");
        // 將排除的URL放入成員變量noFilterUrls中
        if (StringUtils.isNotBlank(noFilterUrl)) {
            noFilterUrls = new ArrayList<>(Arrays.asList(noFilterUrl.split(",")));
        }
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) servletRequest;
        if (!enabled || handleExcludeURL(req)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(req);
        filterChain.doFilter(xssRequest, servletResponse);
    }

    /**
     * 判斷是否為忽略的URL
     * @return true-忽略，false-過濾
     */
    private boolean handleExcludeURL(HttpServletRequest request) {
        if (noFilterUrls == null || noFilterUrls.isEmpty()) {
            return false;
        }

        String url = request.getServletPath();
//        return excludes.stream().map(pattern -> Pattern.compile("^" + pattern)).map(p -> p.matcher(url))
//                .anyMatch(Matcher::find);
        for (String pattern : noFilterUrls) {
            Pattern p = Pattern.compile("^" + pattern);
            Matcher m = p.matcher(url);
            if (m.find()) {
                return true;
            }
        }
        return false;
    }

    @Override
    public void destroy() {
        Filter.super.destroy();
    }
}

注冊過濾器

package com.yolo.springboot.kaptcha.config;

import com.yolo.springboot.kaptcha.filter.XssFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

@Configuration
public class FilterConfig {


    @Bean
    public FilterRegistrationBean<?> xssFilterRegistration() {
        FilterRegistrationBean<XssFilter> registration = new FilterRegistrationBean<>();
        // 將過濾器配置到FilterRegistrationBean對象中
        registration.setFilter(new XssFilter());
        // 給過濾器取名
        registration.setName("xssFilter");
        // 設(shè)置過濾器優(yōu)先級，該值越小越優(yōu)先被執(zhí)行
        registration.setOrder(0);
        List<String> urlPatterns = new ArrayList<>();
        urlPatterns.add("/*");
        //這里需要填寫排除上傳文件的接口
        Map<String, String> paramMap = new HashMap<>();
        paramMap.put("noFilterUrl", "/login,/logout,/images/*");
        // 設(shè)置initParams參數(shù)
        registration.setInitParameters(paramMap);
        // 設(shè)置urlPatterns參數(shù)
        registration.setUrlPatterns(urlPatterns);
        return registration;
    }
}