Spring Boot Filter(xss)不过滤指定资源，绕过不需要过滤的资源【该项目框架为renr...

派大星星

项目框架为【人人开源框架renren-security】用富文本编辑器存到后台的是html，系统中有一个xxs防注入功能，所以到后台富文本的值别过滤变成纯文本了。如下图

前台获取到的是正常的HTML数据

到后台就被过滤成纯文本的汉字了

这样展现的时候之前输入的东西样式全乱了

首先找到项目Filter配置 的类，找到过滤HTML的方法，加上不需要进行过滤的请求地址

然后在对应的类中进行判断过滤

这样就OK了。完整代码：

[Java] 纯文本查看 复制代码

import io.base.common.xss.XssFilter;[/b]import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.filter.DelegatingFilterProxy;

import javax.servlet.DispatcherType;

/**
 * Filter配置
 */
@Configuration
public class FilterConfig {


    @Bean
    public FilterRegistrationBean xssFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setDispatcherTypes(DispatcherType.REQUEST);
        registration.setFilter(new XssFilter());
        registration.addUrlPatterns("/*");
        registration.addInitParameter("notice","*/sysnotice/*");
        registration.setName("xssFilter");
        registration.setOrder(Integer.MAX_VALUE);
        return registration;
    }
}
Java
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 * XSS过滤
 */
public class XssFilter implements Filter {

   private String[] excludedUris;

   @Override
   public void init(FilterConfig config) throws ServletException {
      excludedUris = config.getInitParameter("notice").split(",");
   }

   @Override
   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
      XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
            (HttpServletRequest) request);
      String url = xssRequest.getServletPath();
      if (isExcludedUri(url)){
         chain.doFilter(request, response);
      }else {
         chain.doFilter(xssRequest, response);
      }
   }

   @Override
   public void destroy() {
   }

   private boolean isExcludedUri(String uri) {
      if (excludedUris == null || excludedUris.length <= 0) {
         return false;
      }
      for (String ex : excludedUris) {
         uri = uri.trim();
         ex = ex.trim();
         if (uri.toLowerCase().matches(ex.toLowerCase().replace("*",".*")))
            return true;
      }
      return false;
   }
}

围巢

不错，学习了…

梦想0330

不错，写的非常好，very is good