SoFunction
Updated on 2025-04-06

JSP spring boot/cloud Prevent XSS using filter

JSP spring boot/cloud Prevent XSS using filter

1. Preface

XSS (cross-site scripting attack)

Cross-site scripting attacks (Cross Site Scripting) are not confused with the abbreviation of Cascading Style Sheets (CSS), so cross-site scripting attacks are abbreviated as XSS. Malicious attackers insert malicious Script code into the web page. When the user browses the page, the Script code embedded in the web will be executed, thereby achieving the purpose of malicious attack on the user.

2. Ideas

Based on filter interception, replace special characters with html transformation characters (such as: "<" transformation to "&lt;"), and the points that need to be intercepted are as follows:

  • RequestHeader
  • requestBody
  • Request Parameter requestParameter

3. Realization

1. Create XssHttpServletRequestWrapper class

In these places where the request header and request parameters are obtained, the target value usage method is converted to html characters to avoid malicious code participating in subsequent processes

/**
 * 
 * Created at 2016-09-19
 * Created by wangkang
 * Copyright (C) 2016 , All rights reserved.
 */
package ;

import ;
import ;

import ;

/**
  * Description: Cross-site request prevention
  *
  * @author wangkang
  *
  */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

 /**
   * Description: Constructor
   *
   * @param request request object
   */
 public XssHttpServletRequestWrapper(HttpServletRequest request) {
  super(request);
 }

 @Override
 public String getHeader(String name) {
  String value = (name);
  return (value);
 }

 @Override
 public String getParameter(String name) {
  String value = (name);
  return (value);
 }

 @Override
 public String[] getParameterValues(String name) {
  String[] values = (name);
  if (values != null) {
   int length = ;
   String[] escapseValues = new String[length];
   for (int i = 0; i &lt; length; i++) {
    escapseValues[i] = (values[i]);
   }
   return escapseValues;
  }
  return (name);
 }

}

2. Create XssStringJsonSerializer class

Secondly, when it comes to json conversion, it also needs to change the meaning, such as rerquestBody and responseBody

/**
 * 
 * Created at 2016-09-19
 * Created by wangkang
 * Copyright (C) 2016 , All rights reserved.
 */
package ;

import ;

import ;

import ;
import ;
import ;

/**
  * Description: JsonSerializer based on xss
  *
  * @author wangkang
  *
  */
public class XssStringJsonSerializer extends JsonSerializer&lt;String&gt; {

 @Override
 public Class&lt;String&gt; handledType() {
  return ;
 }

 @Override
 public void serialize(String value, JsonGenerator jsonGenerator,
   SerializerProvider serializerProvider) throws IOException {
  if (value != null) {
   String encodedValue = (value);
   (encodedValue);
  }
 }

}

3. Create a Bean

In the startup class, create a bean of XssObjectMapper, replace the original instance of spring boot, and use it for json conversion of the entire system.

 /**
   * Description: xssObjectMapper
   *
   * @param builder builder
   * @return xssObjectMapper
   */
 @Bean
 @Primary
 public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
  //Parser  ObjectMapper objectMapper = (false).build();
  //Register xs parser  SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
  (new XssStringJsonSerializer());
  (xssModule);
  //return  return objectMapper;
 }

4. Create XssFilter

First, intercept all requests, and then cast the HttpServletRequest type into XssHttpServletRequestWrapper in the doFilter method

Then pass it down.

/**
 * 
 * Created at 2016-09-19
 * Created by wangkang
 * Copyright (C) 2016 , All rights reserved.
 */
package ;

import ;

import ;
import ;
import ;
import ;
import ;
import ;
import ;
import ;

import org.;
import org.;

/**
  * Description: Cross-site request prevention
  *
  * @author wangkang
  *
  */
@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)
 public class XssFilter implements Filter {

  /**
   * Description: Log
   */
 private static final Logger LOGGER = ();

 @Override
 public void init(FilterConfig filterConfig) throws ServletException {
  ("(XssFilter) initialize");
 }

 @Override
 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
   throws IOException, ServletException {
  XssHttpServletRequestWrapper xssRequest =
    new XssHttpServletRequestWrapper((HttpServletRequest) request);
  (xssRequest, response);
 }

 @Override
 public void destroy() {
  ("(XssFilter) destroy");
 }

}

Four. End

Although this article implements the theme based on spring boot, its ideas are consistent and not limited to any framework.

Thank you for reading, I hope it can help you. Thank you for your support for this site!