信息中特殊符号的处理
保存/修改中的信息包含<>等特殊符号时,保存后发现<>符号被过滤掉了。例如将用户的登录账号信息中加入<>,再保存就能看到效果
-
2019-05-18
https://www.renren.io/detail/10677
-
2019-05-19
@Mark 您好,我用的是 a(https://gitee.com/renrenio/renren-security)[https://gitee.com/renrenio/renren-security] ,按照您提供的网址中的方法,在XssFilter中使用[pre]
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
HttpServletRequest orgRequest = XssHttpServletRequestWrapper.getOrgRequest((HttpServletRequest) request);
System.out.println("============="+ JSONObject.toJSONString(orgRequest.getParameterMap()));
chain.doFilter(xssRequest, response);
}
[/pre]没有输出任何结果face[泪]
-
2019-05-20
@Mark [pre]
request.getInputStream()
[/pre]读取一次后就没有数据了,需要在XssHttpServletRequestWrapper中缓存ServletInputStream
我是这么写的,不知道是否对原有程序有影响[pre]
/**
* Copyright (c) 2016-2019 人人开源 All rights reserved.
*
* https://www.renren.io
*
* 版权所有,侵权必究!
*/
package io.renren.common.xss;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.util.StreamUtils;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.util.LinkedHashMap;
import java.util.Map;
/**
* XSS过滤处理
*
* @author Mark sunlightcs@gmail.com
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* 没被包装过的HttpServletRequest(特殊场景,需要自己过滤)
*/
HttpServletRequest orgRequest;
/**
* html过滤
*/
private final static HTMLFilter htmlFilter = new HTMLFilter();
byte[] orgRequestBody;
public XssHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
super(request);
orgRequest = request;
orgRequestBody = StreamUtils.copyToByteArray(request.getInputStream());
}
@Override
public ServletInputStream getInputStream() throws IOException {
//非json类型,直接返回
if(!MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(super.getHeader(HttpHeaders.CONTENT_TYPE))){
return getNewServletInputStream(null);
}
//为空,直接返回
String json = IOUtils.toString(orgRequestBody, "utf-8");
if (StringUtils.isBlank(json)) {
return getNewServletInputStream(null);
}
//xss过滤
json = xssEncode(json);
final ByteArrayInputStream bis = new ByteArrayInputStream(json.getBytes("utf-8"));
return getNewServletInputStream(bis);
}
private ServletInputStream getNewServletInputStream(ByteArrayInputStream bis){
return new ServletInputStream() {
@Override
public boolean isFinished() {
return true;
}
@Override
public boolean isReady() {
return true;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read(){
if( bis!=null ){
return bis.read();
}else{
return new ByteArrayInputStream(orgRequestBody).read();
}
}
};
}
@Override
public BufferedReader getReader() throws IOException{
return new BufferedReader(new InputStreamReader(getInputStream()));
}
@Override
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (StringUtils.isNotBlank(value)) {
value = xssEncode(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] parameters = super.getParameterValues(name);
if (parameters == null || parameters.length == 0) {
return null;
}
for (int i = 0; i < parameters.length; i++) {
parameters[i] = xssEncode(parameters[i]);
}
return parameters;
}
@Override
public Map<String,String[]> getParameterMap() {
Map<String,String[]> map = new LinkedHashMap<>();
Map<String,String[]> parameters = super.getParameterMap();
for (String key : parameters.keySet()) {
String[] values = parameters.get(key);
for (int i = 0; i < values.length; i++) {
values[i] = xssEncode(values[i]);
}
map.put(key, values);
}
return map;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (StringUtils.isNotBlank(value)) {
value = xssEncode(value);
}
return value;
}
private String xssEncode(String input) {
return htmlFilter.filter(input);
}
/**
* 获取最原始的request
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 获取最原始的request
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest request) {
if (request instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) request).getOrgRequest();
}
return request;
}
/**
* 获取最原始的RequestBody
*/
public static String getOrgRequestBody(HttpServletRequest request) throws IOException {
if (request instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) request).getOrgRequestBody();
}
return IOUtils.toString(request.getInputStream(), "utf-8");
}
private String getOrgRequestBody() throws IOException {
return IOUtils.toString(orgRequestBody, "utf-8");
}
}
[/pre]