12.自定义注解、切面
发表于:2017-06-24 10:36:19 分类:博客源码 阅读:936次
这两段代码是百度出来抄的,主要用于页面防JS注入等。作者页就不留了,因为我还得再找。
自定义注解
AntiXSS
package top.ersredma.blog.anotations; import org.springframework.stereotype.Component; import org.springframework.stereotype.Service; import java.lang.annotation.*; /** * Created by ersredma on 2017/6/21. */ @Component @Retention(RetentionPolicy.RUNTIME)@Target(ElementType.METHOD) public @interface AntiXSS { }
2.切面 AntiXSSAspect 主要是获取参数并调用处理方法。
package top.ersredma.blog.aop; import org.aspectj.lang.JoinPoint; import org.aspectj.lang.ProceedingJoinPoint; import org.aspectj.lang.annotation.Around; import org.aspectj.lang.annotation.Aspect; import org.aspectj.lang.annotation.Before; import org.aspectj.lang.annotation.Pointcut; import top.ersredma.blog.utils.XssShieldUtil; import java.lang.reflect.Field; /** * Created by ersredma on 2017/6/21. * 对String或者Entity中的String进行AntiXSS处理 */ @Aspect public class AntiXSSAspect { /** * 定义切面,定位到@AntiXSS注解的地方 */ @Pointcut("@annotation(top.ersredma.blog.anotations.AntiXSS)") //@Pointcut(value = "execution(* top.ersredma.blog.service.BlogServiceImpl.addComment(..))") public void antiXSSPointCut() { } /** * 对String类型或包含String类型的Entity进行antiXSS处理 * * @param point */ @Around("antiXSSPointCut()") public Object doAround(ProceedingJoinPoint point) { Object result = null; Object args[] = point.getArgs(); try { antiXSS(args); result = point.proceed(args); } catch (Throwable throwable) { throwable.printStackTrace(); } return result; } /** * antiXSS处理 * * @param args */ private void antiXSS(Object[] args) { if (args == null) { return; } for (int i = 0; i < args.length; i++) { if (args[i] == null) { continue; } if (args[i] instanceof String) { args[i] = antiXSS((String) args[i]); } if (!isPrimitive(args[i])) { args[i] = antiXSSEntity(args[i]); } } } /** * 对Entity进行antiXSS * * @param object * @return 处理后的结果 */ private Object antiXSSEntity(Object object) { Field[] fields = object.getClass().getDeclaredFields(); for (Field field : fields) { field.setAccessible(true); try { Object arg = field.get(object); if (arg instanceof String) { arg = antiXSS((String) arg); field.set(object, arg); } } catch (IllegalAccessException e) { e.printStackTrace(); } } return object; } /** * 判断是否是基本类型 * * @param arg * @return */ private boolean isPrimitive(Object arg) { try { /************ 基本类型中包含Class<T> TYPE字段 **********/ Field field = arg.getClass().getDeclaredField("TYPE"); field.setAccessible(true); Class fieldClass = (Class) field.get(arg); if (fieldClass.isPrimitive()) { return true; } } catch (Exception e) { return false; } return true; } /** * antiXSS实现 * * @param target * @return */ private String antiXSS(String target) { return XssShieldUtil.stripXss(target); } }
3.处理类 (作者的代码是简单粗暴的替换,这块还得改,不然没办法支持富文本编辑器)
package top.ersredma.blog.utils; import java.util.ArrayList; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; /** * 处理非法字符 * * @author 单红宇(365384722) * @myblog http://blog.csdn.net/catoop/ * @create 2015年9月18日 */ public class XssShieldUtil { private static List<Pattern> patterns = null; private static List<Object[]> getXssPatternList() { List<Object[]> ret = new ArrayList<Object[]>(); ret.add(new Object[]{"<(no)?script[^>]*>.*?</(no)?script>", Pattern.CASE_INSENSITIVE}); ret.add(new Object[]{"eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[]{"expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[]{"(javascript:|vbscript:|view-source:)*", Pattern.CASE_INSENSITIVE}); ret.add(new Object[]{"(<jsp:include|<%>)", Pattern.CASE_INSENSITIVE}); // ret.add(new Object[]{"<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[]{"(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); ret.add(new Object[]{"<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL}); return ret; } private static List<Pattern> getPatterns() { if (patterns == null) { List<Pattern> list = new ArrayList<Pattern>(); String regex = null; Integer flag = null; int arrLength = 0; for(Object[] arr : getXssPatternList()) { arrLength = arr.length; for(int i = 0; i < arrLength; i++) { regex = (String)arr[0]; flag = (Integer)arr[1]; list.add(Pattern.compile(regex, flag)); } } patterns = list; } return patterns; } public static String stripXss(String value) { if(value!=null&&!"".equals(value)) { Matcher matcher = null; for(Pattern pattern : getPatterns()) { matcher = pattern.matcher(value); // 匹配 if(matcher.find()) { // 删除相关字符串 value = value.replaceAll(pattern.pattern(),""); } } } return value; } }
关键词:blog源码,防注入
-
厉害了,我只敢想想,做不出来
-
-
-
h h h
-
h h h