spring mvc数据绑定时通过去除html标签防止js注入
2014-11-05 21:38
441 查看
现在做的项目之前没有考虑到js注入的问题,现在想通过在spring对数据进行绑定时,去除html标签来在后端防止js注入,首先先研读它的源码,我们大部分controller都是扩展MultiActionController这个类,用到的是bind(HttpServletRequest request, Object command)这个方法,它是通过调用createBinder方法创建ServletRequestDataBinder类来进行数据绑定,ServletRequestDataBinder类里面的getInternalBindingResult方法就是返回绑定的结果,我们可以在这方法里面加上自己的属性编辑器(扩展PropertyEditorSupport类)对参数进行处理,于是实现的步骤是:1、写个扩展PropertyEditorSupport类的字符串处理类
2、定义自定义ServletRequestDataBinder,重写getInternalBindingResult方法,3、扩展MultiActionController,重写createBinder方法。
1.StringEditor类
[java]
view plaincopyprint?
public class StringEditor
extends PropertyEditorSupport{
@Override
public void setAsText(String text)
throws IllegalArgumentException {
if (text ==
null || (text = text.trim()).length() ==
0) {
return;
}
try {
//去除html标签
String str = text.replaceAll("<[a-zA-Z]+[1-9]?[^><]*>",
"")
.replaceAll("</[a-zA-Z]+[1-9]?>",
"");
setValue(str);
} catch (Exception e) {
throw new IllegalArgumentException(e);
}
}
}
2.CustomRequestDataBinder类
[java]
view plaincopyprint?
public class CustomRequestDataBinder
extends ServletRequestDataBinder {
public CustomRequestDataBinder(Object target) {
super(target);
}
public CustomRequestDataBinder(Object target, String objectName) {
super(target, objectName);
}
@Override
protected AbstractPropertyBindingResult getInternalBindingResult() {
AbstractPropertyBindingResult bindingResult =
super.getInternalBindingResult();
PropertyEditorRegistry registry = bindingResult.getPropertyEditorRegistry();
registry.registerCustomEditor(String.class,
new StringEditor());
return bindingResult;
}
}
3.CustomMultiActionController 类
[java]
view plaincopyprint?
public class CustomMultiActionController
extends MultiActionController{
@Override
public ServletRequestDataBinder createBinder(HttpServletRequest request, Object command)
throws Exception {
CustomRequestDataBinder binder =
new CustomRequestDataBinder(command, getCommandName(command));
initBinder(request, binder);
return binder;
}
9e62
}
这样的话只要你的Controller扩展了CustomMultiActionController ,在进行数据绑定时就会把提交的数据中的html标签去除,如果某些属性需要有html标签的话就通过request.getParameter来获取没转换的数据。
这只是一个简单的例子,你还可以扩展其它的属性编辑器,比如时间格式的,在提交时统一把date转换为某种格式保存。
2、定义自定义ServletRequestDataBinder,重写getInternalBindingResult方法,3、扩展MultiActionController,重写createBinder方法。
1.StringEditor类
[java]
view plaincopyprint?
public class StringEditor
extends PropertyEditorSupport{
@Override
public void setAsText(String text)
throws IllegalArgumentException {
if (text ==
null || (text = text.trim()).length() ==
0) {
return;
}
try {
//去除html标签
String str = text.replaceAll("<[a-zA-Z]+[1-9]?[^><]*>",
"")
.replaceAll("</[a-zA-Z]+[1-9]?>",
"");
setValue(str);
} catch (Exception e) {
throw new IllegalArgumentException(e);
}
}
}
public class StringEditor extends PropertyEditorSupport{ @Override public void setAsText(String text) throws IllegalArgumentException { if (text == null || (text = text.trim()).length() == 0) { return; } try { //去除html标签 String str = text.replaceAll("<[a-zA-Z]+[1-9]?[^><]*>", "") .replaceAll("</[a-zA-Z]+[1-9]?>", ""); setValue(str); } catch (Exception e) { throw new IllegalArgumentException(e); } } }
2.CustomRequestDataBinder类
[java]
view plaincopyprint?
public class CustomRequestDataBinder
extends ServletRequestDataBinder {
public CustomRequestDataBinder(Object target) {
super(target);
}
public CustomRequestDataBinder(Object target, String objectName) {
super(target, objectName);
}
@Override
protected AbstractPropertyBindingResult getInternalBindingResult() {
AbstractPropertyBindingResult bindingResult =
super.getInternalBindingResult();
PropertyEditorRegistry registry = bindingResult.getPropertyEditorRegistry();
registry.registerCustomEditor(String.class,
new StringEditor());
return bindingResult;
}
}
public class CustomRequestDataBinder extends ServletRequestDataBinder { public CustomRequestDataBinder(Object target) { super(target); } public CustomRequestDataBinder(Object target, String objectName) { super(target, objectName); } @Override protected AbstractPropertyBindingResult getInternalBindingResult() { AbstractPropertyBindingResult bindingResult = super.getInternalBindingResult(); PropertyEditorRegistry registry = bindingResult.getPropertyEditorRegistry(); registry.registerCustomEditor(String.class, new StringEditor()); return bindingResult; } }
3.CustomMultiActionController 类
[java]
view plaincopyprint?
public class CustomMultiActionController
extends MultiActionController{
@Override
public ServletRequestDataBinder createBinder(HttpServletRequest request, Object command)
throws Exception {
CustomRequestDataBinder binder =
new CustomRequestDataBinder(command, getCommandName(command));
initBinder(request, binder);
return binder;
}
9e62
}
public class CustomMultiActionController extends MultiActionController{ @Override public ServletRequestDataBinder createBinder(HttpServletRequest request, Object command) throws Exception { CustomRequestDataBinder binder = new CustomRequestDataBinder(command, getCommandName(command)); initBinder(request, binder); return binder; } }
这样的话只要你的Controller扩展了CustomMultiActionController ,在进行数据绑定时就会把提交的数据中的html标签去除,如果某些属性需要有html标签的话就通过request.getParameter来获取没转换的数据。
这只是一个简单的例子,你还可以扩展其它的属性编辑器,比如时间格式的,在提交时统一把date转换为某种格式保存。
相关文章推荐
- spring mvc数据绑定时通过去除html标签防止js注入
- Angular.js数据绑定时自动转义html标签及内容
- Angular.js数据绑定时自动转义html标签及内容
- Angular.js数据绑定时自动转义html标签及内容
- js获取html标签中的数据
- C#如何抓取网页数据、分析并且去除Html标签
- 如何抓取网页数据、分析并且去除Html标签(C#)
- Js 循环绑定 html 标签
- 如何分析网页数据并且去除Html标签(C#)
- js过滤(去除)富文本编辑器中的html标签和换行回车等标记的正则表达式
- CSS控制XML与通过js解析xml然后通过html显示xml中的数据
- C#抓取网页数据、分析并且去除HTML标签
- 如何抓取网页数据、分析并且去除Html标签(C#)
- 通过js根据接收的数据控制select标签的默认选择项
- Spring MVC 通过@ResponseBody标签返回JSON数据 报406错误的解决方法
- 通过js去掉所有的html标签,得到HTML标签中的所有内容
- C#抓取网页数据、分析并且去除HTML标签 【转】
- STRUTS 1.X 通过 JS 获取 STRUTS HTML 标签的相关值
- 如何抓取网页数据、分析并且去除Html标签C#(转载)
- 页面显示js和HTML标签内容(防js注入攻击)