JSP spring boot / cloud uses filter to prevent XSS

JSP spring boot / cloud uses filter to prevent XSS

I preface

XSS (cross site scripting attack)

Cross site scripting is abbreviated as XSS in order not to be confused with the abbreviation of cascading style sheets (CSS). Malicious attackers insert malicious script code into the web page. When users browse the page, the script code embedded in the web will be executed, so as to achieve the purpose of malicious attack on users.

II thinking

Based on filter interception, replace special characters with HTML conversion characters (such as: "<" conversion to "<"), and the points to be intercepted are as follows:

III realization

1. Create xsshttpservletrequestwrapper class

Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils. Htmlutils The htmlescape method is converted to HTML characters to avoid malicious code participating in the subsequent process

2. Create xsstringjsonserializer class

Secondly, where JSON conversion is involved, it also needs to be changed, such as requestbody and ResponseBody

3. Create bean

In the startup class, create the bean of xssobjectmapper to replace the original instance of spring boot for JSON conversion of the whole system

4. Create xssfilter

First, intercept all requests. Then, in the dofilter method, cast the HttpServletRequest type to xsshttpservletrequestwrapper

Then pass it on

IV end

Although this paper is based on the theme of spring boot implementation, the idea is consistent, not limited to any framework

Thank you for reading, hope to help you, thank you for your support to this site!