问答博客资讯标签用户活动
logo极客观点logo项目管理logoHarmonyOS
开发者社区
javascript
前端
python
node.js
react
vue.js
php
laravel
go
人工智能
mysql
linux
ios
java
android
css
typescript
spring
程序员
logoONES 研发管理logo思否企业问答logo安谋科技 XPU

java后台怎么对ajax请求的内容进行xss转义?

头像
sis31
    8072334

    找了几个java后台拦截xss的代码,大致都是下面这样

    package com.ibm.web.beans;



import java.util.Enumeration;



import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;



public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {  

    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {

        super(servletRequest);

    }

    public String[] getParameterValues(String parameter) {

      String[] values = super.getParameterValues(parameter);

      if (values==null)  {

                  return null;

          }

      int count = values.length;

      String[] encodedValues = new String[count];

      for (int i = 0; i < count; i++) {

                 encodedValues[i] = cleanXSS(values[i]);

       }

      return encodedValues;

    }

    public String getParameter(String parameter) {

          String value = super.getParameter(parameter);

          if (value == null) {

                 return null;

                  }

          return cleanXSS(value);

    }

    public String getHeader(String name) {

        String value = super.getHeader(name);

        if (value == null)

            return null;

        return cleanXSS(value);

    }

    private String cleanXSS(String value) {

                //You'll need to remove the spaces from the html entities below

        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");

        value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");

        value = value.replaceAll("'", "& #39;");

        value = value.replaceAll("eval\\((.*)\\)", "");

        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");

        value = value.replaceAll("script", "");

        return value;

    }



}

    这里只对param做了转义,请问如何对ajax的json请求进行转义?

    前台代码

    $.ajaxSetup({
    contentType: 'application/json'
});

var obj = {"name" : "'", "code" : "<script>"}
$.post("/submit", JSON.stringify(obj), function (result, status) {
    alert('ok');
}, "json");

    后台代码

    @RequestMapping(value = "/submit", method = RequestMethod.POST)
public void submit(@RequestBody Student student) {
    System.out.println(student.getName());
    System.out.println(student.getCode());
}

    这里对ajax提交的json代码就没有做转义,我用的是spring,请问该如何对ajax请求转义,是使用aop对set方法拦截,还是修改HttpMessageConverter在json转为java对象时转义,还是其他方式?

    xssjava
    阅读 5.2k
    1 个回答
    得票最新
    头像
    我叫王也道长
      2394

      都需要转义的,目前你的类已经实现了xss过滤
      你只需要再加上filter

      public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req=(HttpServletRequest)request;
    chain.doFilter(new XssHttpServletRequestWrapper(req), response, chain);
}
      撰写回答
      你尚未登录,登录后可以
      • 和开发者交流问题的细节
      • 关注并接收问题和回答的更新提醒
      • 参与内容的编辑和改进,让解决方法与时俱进
      推荐问题