springboot清除字符串前后空格與防xss攻擊
一、查看WebMvcAutoConfiguration.class中的方法源碼
|
1
2
3
4
5
6
7
|
protected ConfigurableWebBindingInitializer getConfigurableWebBindingInitializer() { try { //從容器中獲取 return (ConfigurableWebBindingInitializer)this.beanFactory.getBean(ConfigurableWebBindingInitializer.class); } catch (NoSuchBeanDefinitionException ex) { return super.getConfigurableWebBindingInitializer(); } |
可以發(fā)現(xiàn)ConfigurableWebBindingInitializer是從容器(beanFactory)中獲取到的,所以我們可以配置一個(gè)
ConfigurableWebBindingInitializer來替換默認(rèn)的,只需要在容器中添加一個(gè)我們自定義的轉(zhuǎn)換器即可。
當(dāng)我們創(chuàng)建了自己的ConfigurableWebBindingInitializer這個(gè)Bean,Spring boot就會自動使用它來配置Spring MVC實(shí)現(xiàn)參數(shù)的類型轉(zhuǎn)換。
二、自定義屬性編輯器
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
/** * * @description 與spring mvc的@InitBinder結(jié)合 用于防止XSS攻擊 */ class StringEscapeEditor extends PropertyEditorSupport { /** 轉(zhuǎn)義HTML */ private boolean escapeHTML; /** 轉(zhuǎn)義javascript */ private boolean escapeJavaScript; /** 是否將空字符串轉(zhuǎn)換為null */ private final boolean emptyAsNull; /** 是否去掉前后空格 */ private final boolean trimmed; public StringEscapeEditor() { this(true,true,false,true); } public StringEscapeEditor(boolean escapeHTML, boolean escapeJavaScript) { this(true,true,escapeHTML,escapeJavaScript); } public StringEscapeEditor(boolean emptyAsNull,boolean trimmed, boolean escapeHTML, boolean escapeJavaScript) { super(); this.emptyAsNull = emptyAsNull; this.trimmed = trimmed; this.escapeHTML = escapeHTML; this.escapeJavaScript = escapeJavaScript; } @Override public String getAsText() { Object value = getValue(); if(Objects.nonNull(value)) { return value.toString(); } return value != null ? value.toString() : null; } @Override public void setAsText(String text) throws IllegalArgumentException { String value = text; if (value == null || emptyAsNull && text.isEmpty()) { //do nothing } else if (trimmed) { //去字符傳參數(shù)前后空格 value = value.trim(); } if (escapeHTML) { //HTML轉(zhuǎn)義(防止XSS攻擊) //HtmlUtils.htmlEscape 默認(rèn)的是ISO-8859-1編碼格式,會將中文的某些符號進(jìn)行轉(zhuǎn)義。 //如果不想讓中文符號進(jìn)行轉(zhuǎn)義請使用UTF-8的編碼格式。例如:HtmlUtils.htmlEscape(text, "UTF-8") value = HtmlUtils.htmlEscape(value, "UTF-8"); } if (escapeJavaScript) { //javascript轉(zhuǎn)義(防止XSS攻擊) value = JavaScriptUtils.javaScriptEscape(value); } setValue(value); } } |
三、創(chuàng)建WebBindingInitializerConfiguration類
加上@Bean注解,交給spring容器管理。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
@Configurationpublic class WebBindingInitializerConfiguration { @Bean public ConfigurableWebBindingInitializer getConfigurableWebBindingInitializer() { ConfigurableWebBindingInitializer initializer = new ConfigurableWebBindingInitializer(); FormattingConversionService conversionService = new DefaultFormattingConversionService(); //we can add our custom converters and formatters //conversionService.addConverter(...); //conversionService.addFormatter(...); initializer.setConversionService(conversionService); //we can set our custom validator //initializer.setValidator(....); //here we are setting a custom PropertyEditor initializer.setPropertyEditorRegistrar(propertyEditorRegistry -> { propertyEditorRegistry.registerCustomEditor(String.class, new StringEscapeEditor()); }); return initializer; }} |
springboot去除參數(shù)中前后空格說明
一、 需求
使用SpringBoot使用過濾器去除@RequestBody參數(shù)兩端的空格;一般我們?nèi)テ胀ǖ恼埱笪覀兌紩φ埱髤?shù)進(jìn)行驗(yàn)證。
Java也提供了@notNull和@notBlank這種驗(yàn)證方式,但是對@RequestBody 這種只能驗(yàn)證是不是非空,對數(shù)據(jù)兩端的空格未進(jìn)行處理,同時(shí)大家也不想遍歷一遍參數(shù)然后再處理再封裝到對象中,正好項(xiàng)目中有這個(gè)需要,所以就參考別的做了Post請求中針對application/json格式的有@RequestBody注解的參數(shù)進(jìn)行了去空格處理
二、 解決方法
2.1 新建一個(gè)過濾器
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
@Component@WebFilter(urlPatterns = "/**", filterName = "ParamsFilter", dispatcherTypes = DispatcherType.REQUEST)public class ParamsFilter implements Filter { @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { ParameterRequestWrapper parmsRequest = new ParameterRequestWrapper((HttpServletRequest) request); chain.doFilter(parmsRequest, response); } @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void destroy() { }} |
2.2 實(shí)現(xiàn)ParameterRequestWrapper
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
import java.io.ByteArrayInputStream;import java.io.IOException;import java.util.ArrayList;import java.util.HashMap;import java.util.Iterator;import java.util.List;import java.util.Map;import java.util.Set;import javax.servlet.ReadListener;import javax.servlet.ServletInputStream;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletRequestWrapper;import com.alibaba.fastjson.JSONArray;import com.alibaba.fastjson.JSONObject;import org.apache.commons.io.IOUtils;import org.apache.commons.lang3.StringUtils;import org.springframework.http.HttpHeaders;import org.springframework.http.MediaType;import com.alibaba.fastjson.JSON;/** * @author : * @description * @date : 2021/4/22 */public class ParameterRequestWrapper extends HttpServletRequestWrapper { private Map<String , String[]> params = new HashMap<>(); public ParameterRequestWrapper(HttpServletRequest request) { super(request); Map<String, String[]> requestMap=request.getParameterMap(); this.params.putAll(requestMap); this.modifyParameterValues(); } @Override public ServletInputStream getInputStream() throws IOException { if(!super.getHeader(HttpHeaders.CONTENT_TYPE).equalsIgnoreCase(MediaType.APPLICATION_JSON_VALUE)){ return super.getInputStream(); } String json = IOUtils.toString(super.getInputStream(), "utf-8"); if (StringUtils.isEmpty(json)) { return super.getInputStream(); } Map<String,Object> map= jsonStringToMap(json); ByteArrayInputStream bis = new ByteArrayInputStream(JSON.toJSONString(map).getBytes("utf-8")); return new MyServletInputStream(bis); } public void modifyParameterValues(){ Set<String> set = params.keySet(); Iterator<String> it = set.iterator(); while(it.hasNext()){ String key= it.next(); String[] values = params.get(key); values[0] = values[0].trim(); params.put(key, values); } } @Override public String getParameter(String name) { String[]values = params.get(name); if(values == null || values.length == 0) { return null; } return values[0]; } @Override public String[] getParameterValues(String name) { return params.get(name); } class MyServletInputStream extends ServletInputStream { private ByteArrayInputStream bis; public MyServletInputStream(ByteArrayInputStream bis){ this.bis=bis; } @Override public boolean isFinished() { return true; } @Override public boolean isReady() { return true; } @Override public void setReadListener(ReadListener listener) { } @Override public int read(){ return bis.read(); } } public static Map<String, Object> jsonStringToMap(String jsonString) { Map<String, Object> map = new HashMap<>(); JSONObject jsonObject = JSONObject.parseObject(jsonString); for (Object k : jsonObject.keySet()) { Object o = jsonObject.get(k); if (o instanceof JSONArray) { List<Map<String, Object>> list = new ArrayList<>(); Iterator<Object> it = ((JSONArray) o).iterator(); while (it.hasNext()) { Object obj = it.next(); list.add(jsonStringToMap(obj.toString())); } map.put(k.toString(), list); } else if (o instanceof JSONObject) { map.put(k.toString(), jsonStringToMap(o.toString())); } else { if (o instanceof String) { map.put(k.toString(), o.toString().trim()); } else { map.put(k.toString(), o); } } } return map; }} |
三、 完美解決
參數(shù)前后空格完美去除!
以上為個(gè)人經(jīng)驗(yàn),希望能給大家一個(gè)參考,也希望大家多多支持服務(wù)器之家。
原文鏈接:https://www.jianshu.com/p/2b8ac1adb7a1
