caojiahao/dev_caojiahao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加自定义xss过滤策略(可保存iframe)

Browse Source
This commit is contained in:
paulGao 2022-01-11 11:20:54 +08:00
parent 23264d5d9b
commit a4d458bace
1 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
View File

@ -5,6 +5,8 @@ import cn.hutool.core.text.CharSequenceUtil;
import cn.hutool.http.HtmlUtil; import cn.hutool.http.HtmlUtil;
import cn.hutool.json.JSONUtil; import cn.hutool.json.JSONUtil;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;
import org.owasp.html.Sanitizers; import org.owasp.html.Sanitizers;
import javax.servlet.ReadListener; import javax.servlet.ReadListener;
@ -57,6 +59,24 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
"wechatpay", "wechatpay",
}; };
//允许的标签
private static final String[] allowedTags = {"h1", "h2", "h3", "h4", "h5", "h6",
"span", "strong",
"img", "video", "source", "iframe", "code",
"blockquote", "p", "div",
"ul", "ol", "li",
"table", "thead", "caption", "tbody", "tr", "th", "td", "br",
"a"
};
//需要转化的标签
private static final String[] needTransformTags = {"article", "aside", "command", "datalist", "details", "figcaption", "figure",
"footer", "header", "hgroup", "section", "summary"};
//带有超链接的标签
private static final String[] linkTags = {"img", "video", "source", "a", "iframe"};
public XssHttpServletRequestWrapper(HttpServletRequest request) { public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request); super(request);
} }
@ -257,6 +277,17 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private String cleanXSS(String value) { private String cleanXSS(String value) {
if (value != null) { if (value != null) {
// 自定义策略
PolicyFactory policy = new HtmlPolicyBuilder()
.allowStandardUrlProtocols()
//所有允许的标签
.allowElements(allowedTags)
//内容标签转化为div
.allowElements((elementName, attributes) -> "div", needTransformTags)
.allowAttributes("src", "href", "target", "width", "height").onElements(linkTags)
//校验链接中的是否为http
// .allowUrlProtocols("https")
.toFactory();
// basic prepackaged policies for links, tables, integers, images, styles, blocks // basic prepackaged policies for links, tables, integers, images, styles, blocks
value = Sanitizers.FORMATTING value = Sanitizers.FORMATTING
.and(Sanitizers.STYLES) .and(Sanitizers.STYLES)
@ -264,6 +295,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
.and(Sanitizers.LINKS) .and(Sanitizers.LINKS)
.and(Sanitizers.BLOCKS) .and(Sanitizers.BLOCKS)
.and(Sanitizers.TABLES) .and(Sanitizers.TABLES)
.and(policy)
.sanitize(value); .sanitize(value);
} }
return HtmlUtil.unescape(value); return HtmlUtil.unescape(value);