diff --git a/framework/pom.xml b/framework/pom.xml
index a47a8901..26ba0ab9 100644
--- a/framework/pom.xml
+++ b/framework/pom.xml
@@ -45,9 +45,9 @@
2.3.1
1.21
1.2
+ 1.4
-
javax.interceptor
@@ -385,6 +385,13 @@
UserAgentUtils
${userAgentUtils}
+
+
+
+ org.apache.commons
+ commons-text
+ ${commons-text}
+
diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java b/framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java
new file mode 100644
index 00000000..37e96de8
--- /dev/null
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java
@@ -0,0 +1,46 @@
+package cn.lili.common.security.filter;
+
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+/**
+ * 防止Xss sql注入
+ *
+ * @author Chopper
+ * @version v1.0
+ * 2021-06-04 10:39
+ */
+public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
+ private HttpServletRequest request;
+
+ public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
+ super(request);
+ this.request = request;
+ }
+
+ @Override
+ public String getParameter(String name) {
+ String value = request.getParameter(name);
+ if (!StringUtils.isEmpty(value)) {
+ value = StringEscapeUtils.escapeHtml4(value);
+ }
+ return value;
+ }
+
+ @Override
+ public String[] getParameterValues(String name) {
+ String[] parameterValues = super.getParameterValues(name);
+ if (parameterValues == null) {
+ return null;
+ }
+ for (int i = 0; i < parameterValues.length; i++) {
+ String value = parameterValues[i];
+ parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
+ }
+ return parameterValues;
+ }
+}
diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java b/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java
new file mode 100644
index 00000000..97433044
--- /dev/null
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java
@@ -0,0 +1,60 @@
+package cn.lili.common.security.filter;
+
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Primary;
+import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * 防止XSS攻击过滤器
+ *
+ * @author Chopper
+ * @version v1.0
+ * 2021-06-04 10:37
+ */
+@WebFilter
+@Component
+public class XssFilter implements Filter {
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+ HttpServletRequest req = (HttpServletRequest) request;
+ XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
+ chain.doFilter(xssRequestWrapper, response);
+ }
+
+ @Override
+ public void destroy() {
+ }
+
+ /**
+ * 过滤json类型的
+ *
+ * @param builder
+ * @return
+ */
+ @Bean
+ @Primary
+ public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
+ //解析器
+ ObjectMapper objectMapper = builder.createXmlMapper(false).build();
+ //注册xss解析器
+ SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
+ xssModule.addSerializer(new XssStringJsonSerializer());
+ objectMapper.registerModule(xssModule);
+ //返回
+ return objectMapper;
+ }
+}
diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssStringJsonSerializer.java b/framework/src/main/java/cn/lili/common/security/filter/XssStringJsonSerializer.java
new file mode 100644
index 00000000..064fe49a
--- /dev/null
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssStringJsonSerializer.java
@@ -0,0 +1,32 @@
+package cn.lili.common.security.filter;
+
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import org.apache.commons.text.StringEscapeUtils;
+
+import java.io.IOException;
+
+/**
+ * 防止xss攻击 过滤字符串解析
+ *
+ * @author Chopper
+ * @version v1.0
+ * 2021-06-04 10:40
+ */
+public class XssStringJsonSerializer extends JsonSerializer {
+ @Override
+ public Class handledType() {
+ return String.class;
+ }
+
+ @Override
+ public void serialize(String value, JsonGenerator jsonGenerator,
+ SerializerProvider serializerProvider) throws IOException {
+ if (value != null) {
+ String encodedValue = StringEscapeUtils.escapeHtml4(value);
+ jsonGenerator.writeString(encodedValue);
+ }
+ }
+}