安全问题

framework/pom.xml

@@ -45,9 +45,9 @@
         <de.codecentric>2.3.1</de.codecentric>
         <userAgentUtils>1.21</userAgentUtils>
         <interceptor-api>1.2</interceptor-api>
+        <commons-text>1.4</commons-text>
     </properties>
 
-
     <dependencies>
         <dependency>
             <groupId>javax.interceptor</groupId>
@@ -385,6 +385,13 @@
             <artifactId>UserAgentUtils</artifactId>
             <version>${userAgentUtils}</version>
         </dependency>
+
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>${commons-text}</version>
+        </dependency>
     </dependencies>
 
 

framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java

@@ -0,0 +1,46 @@
+package cn.lili.common.security.filter;
+
+
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+/**
+ * 防止Xss sql注入
+ *
+ * @author Chopper
+ * @version v1.0
+ * 2021-06-04 10:39
+ */
+public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
+    private HttpServletRequest request;
+
+    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
+        super(request);
+        this.request = request;
+    }
+
+    @Override
+    public String getParameter(String name) {
+        String value = request.getParameter(name);
+        if (!StringUtils.isEmpty(value)) {
+            value = StringEscapeUtils.escapeHtml4(value);
+        }
+        return value;
+    }
+
+    @Override
+    public String[] getParameterValues(String name) {
+        String[] parameterValues = super.getParameterValues(name);
+        if (parameterValues == null) {
+            return null;
+        }
+        for (int i = 0; i < parameterValues.length; i++) {
+            String value = parameterValues[i];
+            parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
+        }
+        return parameterValues;
+    }
+}

framework/src/main/java/cn/lili/common/security/filter/XssFilter.java

@@ -0,0 +1,60 @@
+package cn.lili.common.security.filter;
+
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Primary;
+import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+/**
+ * 防止XSS攻击过滤器
+ *
+ * @author Chopper
+ * @version v1.0
+ * 2021-06-04 10:37
+ */
+@WebFilter
+@Component
+public class XssFilter implements Filter {
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletRequest req = (HttpServletRequest) request;
+        XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
+        chain.doFilter(xssRequestWrapper, response);
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    /**
+     * 过滤json类型的
+     *
+     * @param builder
+     * @return
+     */
+    @Bean
+    @Primary
+    public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
+        //解析器
+        ObjectMapper objectMapper = builder.createXmlMapper(false).build();
+        //注册xss解析器
+        SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
+        xssModule.addSerializer(new XssStringJsonSerializer());
+        objectMapper.registerModule(xssModule);
+        //返回
+        return objectMapper;
+    }
+}

framework/src/main/java/cn/lili/common/security/filter/XssStringJsonSerializer.java

@@ -0,0 +1,32 @@
+package cn.lili.common.security.filter;
+
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import org.apache.commons.text.StringEscapeUtils;
+
+import java.io.IOException;
+
+/**
+ * 防止xss攻击 过滤字符串解析
+ *
+ * @author Chopper
+ * @version v1.0
+ * 2021-06-04 10:40
+ */
+public class XssStringJsonSerializer extends JsonSerializer<String> {
+    @Override
+    public Class<String> handledType() {
+        return String.class;
+    }
+
+    @Override
+    public void serialize(String value, JsonGenerator jsonGenerator,
+                          SerializerProvider serializerProvider) throws IOException {
+        if (value != null) {
+            String encodedValue = StringEscapeUtils.escapeHtml4(value);
+            jsonGenerator.writeString(encodedValue);
+        }
+    }
+}