ajax提交富文本内容过滤
我参考了之前回答的这个问题
https://www.renren.io/detail/10677
但是还是搞不懂这个东西放在哪里。
HttpServletRequest orgRequest = XssHttpServletRequestWrapper.getOrgRequest(request);
String content = orgRequest.getParameter("content ");
上面这两行是放在 XssHttpServletRequestWrapper 这个类里面么,具体怎么放置?
-
2019-09-17
放在你的Controller方法里
-
2019-09-18
@Mark
img[//cdn.renren.io/94a3a201909180852305010.png]
img[//cdn.renren.io/ca0d1201909180852483437.png]
第一张图中,我的js中输出日志可以看到没有转义的html文本
第二张图中,放在Controller方法中,没有获取到任何信息。
-
2019-09-18
可能版本不一致,我放在Controller方法里面不起作用,我用的方法是修改xss权限。
img[//cdn.renren.io/45341201909181651383219.png]
第一张图是FilterConfig中,那个name是要在下面的那个类中使用的,value是接口的地址。
img[//cdn.renren.io/0b3e2201909181651282833.png]
第二张图是在XssFliter中,红线的地方都是我添加的。
完整代码如下:
FilterConfig.java
[pre]
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.filter.DelegatingFilterProxy;
import com.hxe.common.xss.XssFilter;
import javax.servlet.DispatcherType;
@Configuration
public class FilterConfig {
@Bean
public FilterRegistrationBean shiroFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setFilter(new DelegatingFilterProxy("shiroFilter"));
//该值缺省为false,表示生命周期由SpringApplicationContext管理,设置为true则表示由ServletContainer管理
registration.addInitParameter("targetFilterLifecycle", "true");
registration.setEnabled(true);
registration.setOrder(Integer.MAX_VALUE - 1);
registration.addUrlPatterns("/*");
return registration;
}
@Bean
public FilterRegistrationBean xssFilterRegistration() {
FilterRegistrationBean registration = new FilterRegistrationBean();
registration.setDispatcherTypes(DispatcherType.REQUEST);
registration.setFilter(new XssFilter());
registration.addUrlPatterns("/*");
registration.addInitParameter("goodContent","*/mall/good/*");//取消拦截富文本编辑框
registration.setName("xssFilter");
registration.setOrder(Integer.MAX_VALUE);
return registration;
}
}
[/pre]
XssFilter.java
[pre]
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class XssFilter implements Filter {
private String[] excludedUris;
@Override
public void init(FilterConfig config) throws ServletException {
excludedUris = config.getInitParameter("goodContent").split(",");//取消拦截富文本编辑框
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
String url = xssRequest.getServletPath();
if (isExcludedUri(url)) {
chain.doFilter(request, response);
} else {
chain.doFilter(xssRequest, response);
}
}
@Override
public void destroy() {
}
//判断是否取消拦截富文本编辑框
private boolean isExcludedUri(String uri) {
if (excludedUris == null || excludedUris.length <= 0) {
return false;
}
for (String ex : excludedUris) {
uri = uri.trim();
ex = ex.trim();
if (uri.toLowerCase().matches(ex.toLowerCase().replace("*", ".*")))
return true;
}
return false;
}
}
[/pre]