xss攻击处理

im-platform/src/main/java/com/bx/implatform/config/XssBodyConfig.java

@@ -0,0 +1,47 @@
+package com.bx.implatform.config;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+
+import javax.annotation.PostConstruct;
+import java.io.IOException;
+
+@Configuration
+public class XssBodyConfig {
+
+    @Autowired
+    private ObjectMapper objectMapper;
+
+    @PostConstruct
+    public void afterPropertiesSet() throws Exception {
+        SimpleModule simpleModule = new SimpleModule();
+        simpleModule.addDeserializer(String.class, new JsonHtmlXssDeserializer());
+        objectMapper.registerModule(simpleModule);
+    }
+
+
+    class JsonHtmlXssDeserializer extends JsonDeserializer {
+
+        @Override
+        public Class<String> handledType() {
+            return String.class;
+        }
+
+        @Override
+        public String deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
+            String value = jsonParser.getValueAsString();
+            if (StringUtils.isNotEmpty(value)) {
+                return StringEscapeUtils.escapeHtml4(value);
+            }
+            return value;
+        }
+
+}
+}

im-platform/src/main/java/com/bx/implatform/filter/XssFilter.java

@@ -0,0 +1,28 @@
+package com.bx.implatform.filter;
+
+import org.springframework.boot.web.servlet.ServletComponentScan;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.util.List;
+
+@Component
+@ServletComponentScan
+@WebFilter(urlPatterns = "/*",filterName = "xssFilter")
+public class XssFilter implements Filter {
+
+    @Override
+    public void init(FilterConfig filterConfig)  {}
+
+    @Override
+    public void destroy() {}
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
+    }
+
+}

im-platform/src/main/java/com/bx/implatform/filter/XssHttpServletRequestWrapper.java

@@ -0,0 +1,47 @@
+package com.bx.implatform.filter;
+
+import cn.hutool.extra.servlet.ServletUtil;
+import lombok.SneakyThrows;
+import org.apache.commons.lang3.ArrayUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.springframework.web.util.HtmlUtils;
+
+import javax.servlet.ReadListener;
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
+
+    public XssHttpServletRequestWrapper(HttpServletRequest request) {
+        super(request);
+    }
+
+    @Override
+    public String getQueryString() {
+        return StringEscapeUtils.escapeHtml4(super.getQueryString());
+    }
+
+    @Override
+    public String getParameter(String name) {
+        return StringEscapeUtils.escapeHtml4(super.getParameter(name));
+    }
+
+    @Override
+    public String[] getParameterValues(String name) {
+        String[] values = super.getParameterValues(name);
+        if (ArrayUtils.isEmpty(values)) {
+            return values;
+        }
+        int length = values.length;
+        String[] escapeValues = new String[length];
+        for (int i = 0; i < length; i++) {
+            escapeValues[i] = StringEscapeUtils.escapeHtml4(values[i]);
+        }
+        return escapeValues;
+    }
+}