Custom JSON deserializer
package cc.fedtech.filter;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.JsonDeserializer;
import org.springframework.web.util.HtmlUtils;
import java.io.IOException;
public class XssJsonDeserializer extends JsonDeserializer<String> {
@Override
public String deserialize(JsonParser jsonParser, DeserializationContext ctxt)
throws IOException, JsonProcessingException {
String value = jsonParser.getValueAsString();
if(value ! =null) {
// HTML escapes for values
return HtmlUtils.htmlEscape(value);
}
return value;
}
@Override
public Class<String> handledType(a) {
returnString.class; }}Copy the codeCustom JSON serializer
package cc.fedtech.filter;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
import org.springframework.web.util.HtmlUtils;
import java.io.IOException;
public class XssJsonSerializer extends JsonSerializer<String> {
@Override
public Class<String> handledType(a) { return String.class; }
@Override
public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)
throws IOException {
if(value ! =null) {
// HTML escapes the stringjsonGenerator.writeString(HtmlUtils.htmlEscape(value)); }}}Copy the codeCustom interceptors
package com.fedtech.common.filter.xss;
import org.apache.commons.lang3.StringUtils;
import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/** * Custom filter **@author <a href = "mailto:[email protected]" > huan </a >
* @date 2021/2/8
* @since1.0.0 * /
@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class XssFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String path = ((HttpServletRequest) request).getServletPath();
if (path.equals("/")) {
chain.doFilter(request, response);
}
if (StringUtils.containsAny(path, "/assets"."/templates"."/mapper"."/oauth")) {
chain.doFilter(request, response);
}
chain.doFilter(new XssRequestWrapper((HttpServletRequest) request), response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {}@Override
public void destroy(a) {}}Copy the codeRequest parameter handling
package cc.fedtech.filter;
import org.apache.commons.lang3.StringUtils;
import org.springframework.web.util.HtmlUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.Arrays;
public class XssRequestWrapper extends HttpServletRequestWrapper {
public XssRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String[] getParameterValues(String parameter) {
// Use the clean method to clean all parameters one by one
return Arrays.stream(super.getParameterValues(parameter)).map(this::clean).toArray(String[]::new);
}
@Override
public String getHeader(String name) {
// Also clean the request header
return clean(super.getHeader(name));
}
@Override
public String getParameter(String parameter) {
// Getting a single parameter value is also handled
return clean(super.getParameter(parameter));
}
The clean method simply HTML escapes the value
private String clean(String value) {
return StringUtils.isEmpty(value)? "": HtmlUtils.htmlEscape(value); }}Copy the codeRegister the deserializer
// Register a custom Jackson antisequencer
@Bean
public Module xssModule(a) {
SimpleModule module = new SimpleModule();
module.addDeserializer(String.class, new XssJsonDeserializer());
module.addSerializer(String.class, new XssJsonSerializer());
return module;
}
Copy the code