ThingsBoard源码阅读 - 基于antisamy自定义validation注解实现防止xss攻击

最新推荐文章于 2025-05-28 20:48:31 发布

~日句水+3木@

最新推荐文章于 2025-05-28 20:48:31 发布

阅读量721

点赞数 15

文章标签： xss java

本文链接：https://blog.youkuaiyun.com/m0_56555119/article/details/142464603

版权

一、引入pom依赖

<dependency>
    <groupId>org.owasp.antisamy</groupId>
    <artifactId>antisamy</artifactId>
    <version>${antisamy.version}</version>
    <exclusions>
        <exclusion>
            <groupId>org.slf4j</groupId>
            <artifactId>*</artifactId>
        </exclusion>
        <exclusion>
            <groupId>commons-logging</groupId>
            <artifactId>commons-logging</artifactId>
        </exclusion>
        <exclusion>
            <groupId>com.github.spotbugs</groupId>
            <artifactId>spotbugs-annotations</artifactId>
        </exclusion>
    </exclusions>
</dependency>

二、自定义validation注解

package org.thingsboard.server.common.data.validation;

import jakarta.validation.Constraint;
import jakarta.validation.Payload;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Retention(RetentionPolicy.RUNTIME)
@Target({
   ElementType.FIELD, ElementType.METHOD})
@Constraint(validatedBy = {
   })
public @interface NoXss {
   
	
	/**
     * @return 校验出错时默认返回的消息
     */
    String message() default "is malformed";
	/**
     * @return 自定义，用于定义存在Xss问题的字段信息
     */
    String fieldName() default "";
	/**
     * @return 校验分组
     */
    Class<?>[] groups() default {
   };
	/**
     * @return 负载
     */
    Class<? extends Payload>[] payload() default {
   };

}

三、自定义Validator
在resource目录下添加校验xss的策略定义文件xss-policy.xml

<?xml version="1.0" encoding="UTF-8" ?>
<!--

    Copyright © 2016-2024 The Thingsboard Authors

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

-->
<anti-samy-rules>

    <directives>
        <directive name="omitXmlDeclaration" value="true"/>
        <directive name="omitDoctypeDeclaration" value="false"/>
        <directive name="maxInputSize" value="100000"/>
        <directive name="embedStyleSheets" value="false"/>
        <directive name="useXHTML" value="true"/>
        <directive name="formatOutput" value="true"/>
    </directives>

    <common-regexps>

        <!--
            From W3C:
            This attribute assigns a class name or set of class names to an
            element. Any number of elements may be assigned the same class
            name or names. Multiple class names must be separated by white
            space characters.
        -->
        <regexp name="htmlTitle" value="[a-zA-Z0-9\s\-_',:\[\]!\./\\\(\)&amp;]*"/>

        <!--  force non-empty with a '+' at the end instead of '*'
        -->
        <regexp name="onsiteURL" value="([\p{L}\p{N}\p{Zs}/\.\?=&amp;\-~])+"/>

        <!--  ([\w\\/\.\?=&amp;;\#-~]+|\#(\w)+)
        -->

        <!--  ([\p{L}/ 0-9&amp;\#-.?=])*
        -->
        <regexp name="offsiteURL"
                value="(\s)*((ht|f)tp(s?)://|mailto:)[A-Za-z0-9]+[~a-zA-Z0-9-_\.@\#\$%

最低0.47元/天解锁文章