SpringBoot清除字符串前后空格与防Xss攻击方法

一、查看WebMvcAutoConfiguration.class中的方法源码:

protected ConfigurableWebBindingInitializer getConfigurableWebBindingInitializer() {
    try {
        //从容器中获取
        return (ConfigurableWebBindingInitializer)this.beanFactory.getBean(ConfigurableWebBindingInitializer.class);
    } catch (NoSuchBeanDefinitionException ex) {
      return super.getConfigurableWebBindingInitializer();
    }

可以发现ConfigurableWebBindingInitializer是从容器(beanFactory)中获取到的,所以我们可以配置一个ConfigurableWebBindingInitializer来替换默认的,只需要在容器中添加一个我们自定义的转换器即可。当我们创建了自己的ConfigurableWebBindingInitializer这个Bean,Spring boot就会自动使用它来配置Spring MVC实现参数的类型转换。

二、自定义属性编辑器

/**
     *
     * @description 与spring mvc的@InitBinder结合 用于防止XSS攻击
     */
     class StringEscapeEditor extends PropertyEditorSupport {

        /** 转义HTML */
        private boolean escapeHTML;

        /** 转义javascript */
        private boolean escapeJavaScript;

        /** 是否将空字符串转换为null */
        private final boolean emptyAsNull;

        /** 是否去掉前后空格 */
        private final boolean trimmed;

        public StringEscapeEditor() {
            this(true,true,false,true);
        }

        public StringEscapeEditor(boolean escapeHTML, boolean escapeJavaScript) {
            this(true,true,escapeHTML,escapeJavaScript);
        }

        public StringEscapeEditor(boolean emptyAsNull,boolean trimmed, boolean escapeHTML, boolean escapeJavaScript) {
            super();
            this.emptyAsNull = emptyAsNull;
            this.trimmed = trimmed;
            this.escapeHTML = escapeHTML;
            this.escapeJavaScript = escapeJavaScript;
        }

        @Override
        public String getAsText() {
            Object value = getValue();

            if(Objects.nonNull(value))
            {
                return value.toString();
            }
            return value != null ? value.toString() : null;
        }

        @Override
        public void setAsText(String text) throws IllegalArgumentException {

            String value = text;

            if (value == null || emptyAsNull && text.isEmpty()) {
                //do nothing
            } else if (trimmed) {
                //去字符传参数前后空格
                value = value.trim();
            }

            if (escapeHTML) {
                //HTML转义(防止XSS攻击)
                //HtmlUtils.htmlEscape 默认的是ISO-8859-1编码格式,会将中文的某些符号进行转义。
                //如果不想让中文符号进行转义请使用UTF-8的编码格式。例如:HtmlUtils.htmlEscape(text, "UTF-8")
                value = HtmlUtils.htmlEscape(value, "UTF-8");
            }
            if (escapeJavaScript) {
                //javascript转义(防止XSS攻击)
                value = JavaScriptUtils.javaScriptEscape(value);
            }
            setValue(value);
        }

    }

三、创建WebBindingInitializerConfiguration类加上@Bean注解,交给spring容器管理。

@Configuration
public class WebBindingInitializerConfiguration {

    @Bean
    public ConfigurableWebBindingInitializer getConfigurableWebBindingInitializer() {
        ConfigurableWebBindingInitializer initializer = new ConfigurableWebBindingInitializer();
        FormattingConversionService conversionService = new DefaultFormattingConversionService();
        //we can add our custom converters and formatters
        //conversionService.addConverter(...);
        //conversionService.addFormatter(...);
        initializer.setConversionService(conversionService);
        //we can set our custom validator
        //initializer.setValidator(....);

        //here we are setting a custom PropertyEditor
        initializer.setPropertyEditorRegistrar(propertyEditorRegistry -> {
            propertyEditorRegistry.registerCustomEditor(String.class,
                    new StringEscapeEditor());
        });
        return initializer;
    }
}
收藏 (0)
评论列表
正在载入评论列表...
我是有底线的
为您推荐
    暂时没有数据