Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
mica
mica
提交
552bcc82
mica
项目概览
mica
/
mica
通知
10
Star
2
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
mica
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
552bcc82
编写于
12月 17, 2021
作者:
如梦技术
🐛
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
✨
mica-xss 添加一个使用场景。
上级
0eb550c3
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
73 addition
and
2 deletion
+73
-2
mica-lite/src/main/java/net/dreamlu/mica/lite/config/MicaLiteConfiguration.java
...a/net/dreamlu/mica/lite/config/MicaLiteConfiguration.java
+2
-0
mica-xss/README.md
mica-xss/README.md
+4
-0
mica-xss/src/main/java/net/dreamlu/mica/xss/config/MicaXssConfiguration.java
...ava/net/dreamlu/mica/xss/config/MicaXssConfiguration.java
+8
-2
mica-xss/src/main/java/net/dreamlu/mica/xss/core/XssCleanDeserializer.java
.../java/net/dreamlu/mica/xss/core/XssCleanDeserializer.java
+59
-0
未找到文件。
mica-lite/src/main/java/net/dreamlu/mica/lite/config/MicaLiteConfiguration.java
浏览文件 @
552bcc82
...
...
@@ -17,6 +17,7 @@
package
net.dreamlu.mica.lite.config
;
import
net.dreamlu.mica.core.spring.SpringContextUtil
;
import
org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
;
import
org.springframework.context.annotation.Bean
;
import
org.springframework.context.annotation.Configuration
;
...
...
@@ -29,6 +30,7 @@ import org.springframework.context.annotation.Configuration;
public
class
MicaLiteConfiguration
{
@Bean
@ConditionalOnMissingBean
public
SpringContextUtil
springContextUtil
()
{
return
new
SpringContextUtil
();
}
...
...
mica-xss/README.md
浏览文件 @
552bcc82
...
...
@@ -35,6 +35,10 @@ compile("net.dreamlu:mica-xss:${version}")
## 注解
可以使用
`@XssCleanIgnore`
注解对方法和类级别进行忽略。
## 针对某个 json 对象 `String` 字段处理
1.
添加
`@XssCleanIgnore`
注解对路由忽略 xss 处理。
2.
对需要处理得字段添加
`@JsonDeserialize(using = XssCleanDeserializer.class)`
注解。
## 自定义 xss 清理
如果内置的 xss 清理规则不满足需求,可以自己实现
`XssCleaner`
,注册成 Spring bean 即可。
...
...
mica-xss/src/main/java/net/dreamlu/mica/xss/config/MicaXssConfiguration.java
浏览文件 @
552bcc82
...
...
@@ -17,6 +17,7 @@
package
net.dreamlu.mica.xss.config
;
import
lombok.RequiredArgsConstructor
;
import
net.dreamlu.mica.core.spring.SpringContextUtil
;
import
net.dreamlu.mica.xss.core.*
;
import
org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
;
import
org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
;
...
...
@@ -49,6 +50,12 @@ import java.util.List;
public
class
MicaXssConfiguration
implements
WebMvcConfigurer
{
private
final
MicaXssProperties
xssProperties
;
@Bean
@ConditionalOnMissingBean
public
SpringContextUtil
springContextUtil
()
{
return
new
SpringContextUtil
();
}
@Bean
@ConditionalOnMissingBean
public
XssCleaner
xssCleaner
(
MicaXssProperties
properties
)
{
...
...
@@ -64,8 +71,7 @@ public class MicaXssConfiguration implements WebMvcConfigurer {
@Bean
public
Jackson2ObjectMapperBuilderCustomizer
xssJacksonCustomizer
(
MicaXssProperties
properties
,
XssCleaner
xssCleaner
)
{
JacksonXssClean
xssClean
=
new
JacksonXssClean
(
properties
,
xssCleaner
);
return
builder
->
builder
.
deserializerByType
(
String
.
class
,
xssClean
);
return
builder
->
builder
.
deserializerByType
(
String
.
class
,
new
JacksonXssClean
(
properties
,
xssCleaner
));
}
@Override
...
...
mica-xss/src/main/java/net/dreamlu/mica/xss/core/XssCleanDeserializer.java
0 → 100644
浏览文件 @
552bcc82
/*
* Copyright (c) 2019-2029, Dreamlu 卢春梦 (596392912@qq.com & www.dreamlu.net).
* <p>
* Licensed under the GNU LESSER GENERAL PUBLIC LICENSE 3.0;
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* <p>
* http://www.gnu.org/licenses/lgpl.html
* <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
net.dreamlu.mica.xss.core
;
import
com.fasterxml.jackson.core.JsonParser
;
import
com.fasterxml.jackson.databind.DeserializationContext
;
import
com.fasterxml.jackson.databind.JsonDeserializer
;
import
lombok.extern.slf4j.Slf4j
;
import
net.dreamlu.mica.core.spring.SpringContextUtil
;
import
net.dreamlu.mica.xss.config.MicaXssProperties
;
import
net.dreamlu.mica.xss.utils.XssUtil
;
import
java.io.IOException
;
/**
* jackson xss 处理
*
* @author L.cm
*/
@Slf4j
public
class
XssCleanDeserializer
extends
JsonDeserializer
<
String
>
{
@Override
public
String
deserialize
(
JsonParser
p
,
DeserializationContext
ctx
)
throws
IOException
{
// XSS filter
String
text
=
p
.
getValueAsString
();
if
(
text
==
null
)
{
return
null
;
}
// 读取 xss 配置
MicaXssProperties
properties
=
SpringContextUtil
.
getBean
(
MicaXssProperties
.
class
);
if
(
properties
==
null
)
{
return
text
;
}
// 读取 XssCleaner bean
XssCleaner
xssCleaner
=
SpringContextUtil
.
getBean
(
XssCleaner
.
class
);
if
(
xssCleaner
==
null
)
{
return
XssUtil
.
trim
(
text
,
properties
.
isTrimText
());
}
String
value
=
xssCleaner
.
clean
(
XssUtil
.
trim
(
text
,
properties
.
isTrimText
()));
log
.
debug
(
"Json property value:{} cleaned up by mica-xss, current value is:{}."
,
text
,
value
);
return
value
;
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录