防御流类型的xss攻击

1.建立一个工具类

package im.lsn.oss.exhibition.utils;

import org.apache.commons.lang3.StringUtils;

import java.beans.IntrospectionException;
import java.beans.PropertyDescriptor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.util.stream.Stream;

public class XssUtils {

    public static Object processXss(Object o) {
        Class clazz = o.getClass();
        Field[] fields = clazz.getDeclaredFields();
        Stream.of(fields).forEach( field ->{
            try {
                PropertyDescriptor pd = new PropertyDescriptor(field.getName(),clazz);
                if(field.getType().getName().equals("java.lang.String")){
                    String value = (String)pd.getReadMethod().invoke(o);
                    pd.getWriteMethod().invoke(o,cleanXSS(value));
                }
            } catch (IntrospectionException e) {
                e.printStackTrace();
            } catch (IllegalAccessException e) {
                e.printStackTrace();
            } catch (InvocationTargetException e) {
                e.printStackTrace();
            }
        });
        return o;
    }

    public static String cleanXSS(String value) {
        if (StringUtils.isBlank(value)) {
            return value;
        }
        value = value.replaceAll("eval(\\s*)\\(", "");
        value = value.replaceAll("javascript(\\s*):", "");
        value = value.replaceAll("<(/?)(\\s*)[sS][cC][rR][iI][pP][tT](\\s*)>", "");
        value = value.replaceAll("on[a-zA-Z]*(\\s*)=", "");
        return value;
    }
}

2.在方法前进行代码的处理

editForm= (ExhibitorsEditForm)XssUtils.processXss(editForm);