Spring mvc 在Spring MVC中使用反艾米的XSS安全性
我想从我的HTML中过滤所有输入标记的内容。我使用的是反艾米过滤器,现在我的过滤器过滤掉了完整的html内容(而不是只输入值) 我正在使用此处提供的实现: 在doFilter方法中,我使用这段代码扫描内容Spring mvc 在Spring MVC中使用反艾米的XSS安全性,spring-mvc,xss,antisamy,Spring Mvc,Xss,Antisamy,我想从我的HTML中过滤所有输入标记的内容。我使用的是反艾米过滤器,现在我的过滤器过滤掉了完整的html内容(而不是只输入值) 我正在使用此处提供的实现: 在doFilter方法中,我使用这段代码扫描内容 HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response); CleanResults
HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
而我想要的是:
CleanResults cleanResults = antiSamy.scan(request.getParameter("input"), policy);
这样只过滤输入字段的内容
以下是整个doFilter方法:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if (response instanceof HttpServletResponse) {
HttpServletResponseInvocationHandler invocationHandler = httpResponseInvocationHandlerFactory.build((HttpServletResponse) response);
HttpServletResponse proxiedResponse = httpResponseProxyFactory.build(invocationHandler);
chain.doFilter(request, proxiedResponse);
if ("text/html;charset=UTF-8".equals(proxiedResponse.getContentType())) {
try {
Policy policy = policyFileLoader.load(policyFile);
antiSamy.setInputEncoding(inputEncoding);
antiSamy.setOutputEncoding(outputEncoding);
CleanResults cleanResults = antiSamy.scan(invocationHandler.getContents(), policy);
log.info("Number of Errors: " + cleanResults.getNumberOfErrors());
if (log.isDebugEnabled()) {
log.debug("Errors found: ");
List errors = cleanResults.getErrorMessages();
for (int i = 0; i < errors.size(); i++) {
log.debug("\t" + (i + 1) + ". " + errors.get(i));
}
}
log.info("Scan time (in seconds): " + cleanResults.getScanTime());
response.getOutputStream().write(cleanResults.getCleanHTML().getBytes());
} catch (ScanException e) {
log.error(GENERIC_ERROR, e);
} catch (PolicyException e) {
log.error(GENERIC_ERROR, e);
}
} else {
response.getOutputStream().write(invocationHandler.getBytes());
}
} else {
chain.doFilter(request, response);
}
}
public void doFilter(ServletRequest请求、ServletResponse响应、FilterChain链)抛出IOException、ServletException{
if(HttpServletResponse的响应实例){
HttpServletResponseInLocationHandler invocationHandler=HttpResponseInLocationHandlerFactory.build((HttpServletResponse)响应);
HttpServletResponse proxiedResponse=httpResponseProxyFactory.build(调用处理程序);
chain.doFilter(请求、代理响应);
if(“text/html;charset=UTF-8”。等于(proxiedResponse.getContentType()){
试一试{
Policy Policy=policyFileLoader.load(policyFile);
反艾米。setInputEncoding(inputEncoding);
反艾米。设置输出编码(输出编码);
CleanResults CleanResults=antiSamy.scan(invocationHandler.getContents(),policy);
log.info(“错误数:+cleanResults.getNumberOfErrors());
if(log.isDebugEnabled()){
调试(“发现错误:”);
List errors=cleanResults.getErrorMessages();
对于(int i=0;i
我已经在AntiSamy默认提供的所有策略文件上试用过
如果您能在这方面获得一些帮助,那就太好了。找到了解决方案,错误在于正则表达式不正确。现在效果很好