信息中特殊符号的处理

提问 未结 3 76
as
as 2019-05-18
悬赏:20积分
保存/修改中的信息包含<>等特殊符号时,保存后发现<>符号被过滤掉了。例如将用户的登录账号信息中加入<>,再保存就能看到效果
回帖
  • https://www.renren.io/detail/10677
    0 回复
  • as
    as (楼主)
    2019-05-19
    @Mark 您好,我用的是 a(https://gitee.com/renrenio/renren-security)[https://gitee.com/renrenio/renren-security] ,按照您提供的网址中的方法,在XssFilter中使用[pre] @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); HttpServletRequest orgRequest = XssHttpServletRequestWrapper.getOrgRequest((HttpServletRequest) request); System.out.println("============="+ JSONObject.toJSONString(orgRequest.getParameterMap())); chain.doFilter(xssRequest, response); } [/pre]没有输出任何结果face[泪]
    0 回复
  • as
    as (楼主)
    2019-05-20
    @Mark [pre] request.getInputStream() [/pre]读取一次后就没有数据了,需要在XssHttpServletRequestWrapper中缓存ServletInputStream 我是这么写的,不知道是否对原有程序有影响[pre] /** * Copyright (c) 2016-2019 人人开源 All rights reserved. * * https://www.renren.io * * 版权所有,侵权必究! */ package io.renren.common.xss; import org.apache.commons.io.IOUtils; import org.apache.commons.lang.StringUtils; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; import org.springframework.util.StreamUtils; import javax.servlet.ReadListener; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import java.io.*; import java.util.LinkedHashMap; import java.util.Map; /** * XSS过滤处理 * * @author Mark sunlightcs@gmail.com */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { /** * 没被包装过的HttpServletRequest(特殊场景,需要自己过滤) */ HttpServletRequest orgRequest; /** * html过滤 */ private final static HTMLFilter htmlFilter = new HTMLFilter(); byte[] orgRequestBody; public XssHttpServletRequestWrapper(HttpServletRequest request) throws IOException { super(request); orgRequest = request; orgRequestBody = StreamUtils.copyToByteArray(request.getInputStream()); } @Override public ServletInputStream getInputStream() throws IOException { //非json类型,直接返回 if(!MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(super.getHeader(HttpHeaders.CONTENT_TYPE))){ return getNewServletInputStream(null); } //为空,直接返回 String json = IOUtils.toString(orgRequestBody, "utf-8"); if (StringUtils.isBlank(json)) { return getNewServletInputStream(null); } //xss过滤 json = xssEncode(json); final ByteArrayInputStream bis = new ByteArrayInputStream(json.getBytes("utf-8")); return getNewServletInputStream(bis); } private ServletInputStream getNewServletInputStream(ByteArrayInputStream bis){ return new ServletInputStream() { @Override public boolean isFinished() { return true; } @Override public boolean isReady() { return true; } @Override public void setReadListener(ReadListener readListener) { } @Override public int read(){ if( bis!=null ){ return bis.read(); }else{ return new ByteArrayInputStream(orgRequestBody).read(); } } }; } @Override public BufferedReader getReader() throws IOException{ return new BufferedReader(new InputStreamReader(getInputStream())); } @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (StringUtils.isNotBlank(value)) { value = xssEncode(value); } return value; } @Override public String[] getParameterValues(String name) { String[] parameters = super.getParameterValues(name); if (parameters == null || parameters.length == 0) { return null; } for (int i = 0; i < parameters.length; i++) { parameters[i] = xssEncode(parameters[i]); } return parameters; } @Override public Map<String,String[]> getParameterMap() { Map<String,String[]> map = new LinkedHashMap<>(); Map<String,String[]> parameters = super.getParameterMap(); for (String key : parameters.keySet()) { String[] values = parameters.get(key); for (int i = 0; i < values.length; i++) { values[i] = xssEncode(values[i]); } map.put(key, values); } return map; } @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (StringUtils.isNotBlank(value)) { value = xssEncode(value); } return value; } private String xssEncode(String input) { return htmlFilter.filter(input); } /** * 获取最原始的request */ public HttpServletRequest getOrgRequest() { return orgRequest; } /** * 获取最原始的request */ public static HttpServletRequest getOrgRequest(HttpServletRequest request) { if (request instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) request).getOrgRequest(); } return request; } /** * 获取最原始的RequestBody */ public static String getOrgRequestBody(HttpServletRequest request) throws IOException { if (request instanceof XssHttpServletRequestWrapper) { return ((XssHttpServletRequestWrapper) request).getOrgRequestBody(); } return IOUtils.toString(request.getInputStream(), "utf-8"); } private String getOrgRequestBody() throws IOException { return IOUtils.toString(orgRequestBody, "utf-8"); } } [/pre]
    0 回复