JSP spring boot / cloud 使用filter防止XSS

/** * XssHttpServletRequestWrapper.java * Created at 2016-09-19 * Created by wangkang * Copyright (C) 2016 egridcloud.com, All rights reserved. */package com.egridcloud.udf.core.xss;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import org.springframework.web.util.HtmlUtils;/** * 描述 : 跨站请求防范 * * @author wangkang * */public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { /**  * 描述 : 构造函数  *  * @param request 请求对象  */ public XssHttpServletRequestWrapper(HttpServletRequest request) {  super(request); } @Override public String getHeader(String name) {  String value = super.getHeader(name);  return HtmlUtils.htmlEscape(value); } @Override public String getParameter(String name) {  String value = super.getParameter(name);  return HtmlUtils.htmlEscape(value); } @Override public String[] getParameterValues(String name) {  String[] values = super.getParameterValues(name);  if (values != null) {   int length = values.length;   String[] escapseValues = new String[length];   for (int i = 0; i < length; i++) {    escapseValues[i] = HtmlUtils.htmlEscape(values[i]);   }   return escapseValues;  }  return super.getParameterValues(name); }}

/** * XssStringJsonSerializer.java * Created at 2016-09-19 * Created by wangkang * Copyright (C) 2016 egridcloud.com, All rights reserved. */package com.egridcloud.udf.core.xss;import java.io.IOException;import org.springframework.web.util.HtmlUtils;import com.fasterxml.jackson.core.JsonGenerator;import com.fasterxml.jackson.databind.JsonSerializer;import com.fasterxml.jackson.databind.SerializerProvider;/** * 描述 : 基于xss的JsonSerializer * * @author wangkang * */public class XssStringJsonSerializer extends JsonSerializer<String> { @Override public Class<String> handledType() {  return String.class; } @Override public void serialize(String value, JsonGenerator jsonGenerator,   SerializerProvider serializerProvider) throws IOException {  if (value != null) {   String encodedValue = HtmlUtils.htmlEscape(value);   jsonGenerator.writeString(encodedValue);  } }}

 /**  * 描述 : xssObjectMapper  *  * @param builder builder  * @return xssObjectMapper  */ @Bean @Primary public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {  //解析器  ObjectMapper objectMapper = builder.createXmlMapper(false).build();  //注册xss解析器  SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");  xssModule.addSerializer(new XssStringJsonSerializer());  objectMapper.registerModule(xssModule);  //返回  return objectMapper; }

/** * XssFilter.java * Created at 2016-09-19 * Created by wangkang * Copyright (C) 2016 egridcloud.com, All rights reserved. */package com.egridcloud.udf.core.xss;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import org.slf4j.Logger;import org.slf4j.LoggerFactory;/** * 描述 : 跨站请求防范 * * @author wangkang * */@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)public class XssFilter implements Filter { /**  * 描述 : 日志  */ private static final Logger LOGGER = LoggerFactory.getLogger(XssFilter.class); @Override public void init(FilterConfig filterConfig) throws ServletException {  LOGGER.debug("(XssFilter) initialize"); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)   throws IOException, ServletException {  XssHttpServletRequestWrapper xssRequest =    new XssHttpServletRequestWrapper((HttpServletRequest) request);  chain.doFilter(xssRequest, response); } @Override public void destroy() {  LOGGER.debug("(XssFilter) destroy"); }}