dengzedong
2025-01-03 c9e48bd2dff2b5766589024cf7264189b5f2a05c
提交 | 用户 | 时间
e7c126 1 package com.iailab.framework.xss.config;
H 2
3 import com.iailab.framework.common.enums.WebFilterOrderEnum;
4 import com.iailab.framework.xss.core.clean.JsoupXssCleaner;
5 import com.iailab.framework.xss.core.clean.XssCleaner;
6 import com.iailab.framework.xss.core.filter.XssFilter;
7 import com.iailab.framework.xss.core.json.XssStringJsonDeserializer;
8 import com.fasterxml.jackson.databind.ObjectMapper;
9 import org.springframework.boot.autoconfigure.AutoConfiguration;
10 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
11 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
12 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
13 import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer;
14 import org.springframework.boot.context.properties.EnableConfigurationProperties;
15 import org.springframework.boot.web.servlet.FilterRegistrationBean;
16 import org.springframework.context.annotation.Bean;
17 import org.springframework.util.PathMatcher;
18 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
19
20 import static com.iailab.framework.web.config.IailabWebAutoConfiguration.createFilterBean;
21
22 @AutoConfiguration
23 @EnableConfigurationProperties(XssProperties.class)
24 @ConditionalOnProperty(prefix = "iailab.xss", name = "enable", havingValue = "true", matchIfMissing = true) // 设置为 false 时,禁用
25 public class IailabXssAutoConfiguration implements WebMvcConfigurer {
26
27     /**
28      * Xss 清理者
29      *
30      * @return XssCleaner
31      */
32     @Bean
33     @ConditionalOnMissingBean(XssCleaner.class)
34     public XssCleaner xssCleaner() {
35         return new JsoupXssCleaner();
36     }
37
38     /**
39      * 注册 Jackson 的序列化器,用于处理 json 类型参数的 xss 过滤
40      *
41      * @return Jackson2ObjectMapperBuilderCustomizer
42      */
43     @Bean
44     @ConditionalOnMissingBean(name = "xssJacksonCustomizer")
45     @ConditionalOnBean(ObjectMapper.class)
46     @ConditionalOnProperty(value = "iailab.xss.enable", havingValue = "true")
47     public Jackson2ObjectMapperBuilderCustomizer xssJacksonCustomizer(XssProperties properties,
48                                                                       PathMatcher pathMatcher,
49                                                                       XssCleaner xssCleaner) {
50         // 在反序列化时进行 xss 过滤,可以替换使用 XssStringJsonSerializer,在序列化时进行处理
51         return builder -> builder.deserializerByType(String.class, new XssStringJsonDeserializer(properties, pathMatcher, xssCleaner));
52     }
53
54     /**
55      * 创建 XssFilter Bean,解决 Xss 安全问题
56      */
57     @Bean
58     @ConditionalOnBean(XssCleaner.class)
59     public FilterRegistrationBean<XssFilter> xssFilter(XssProperties properties, PathMatcher pathMatcher, XssCleaner xssCleaner) {
60         return createFilterBean(new XssFilter(properties, pathMatcher, xssCleaner), WebFilterOrderEnum.XSS_FILTER);
61     }
62
63 }