如何确保传递参数没有任何跨站点脚本内容

时间:2016-01-27 12:42:37

标签: rest spring-security xss html-encode

我正在创建Rest Web服务使用Spring&将参数从模型类传递给方法。

我的输入参数为

{
    "user_id": 23,
    "user_email_id": "q@q.c",
    "user_password": "fdsdsdf",
    "firstname": "<script>window.alert(‘surprise!’);</script>",
    "lastname": "kdfgkdf",
    "mobile_number": "1414141414",
    "user_status": 1,
    "isdeleted": 0,
    "created_by": 1,
    "profile_picturename": "kfksdjfhksjd",
    "address": "sfdsdfsd"
}

&安培;我的ReST控制器方法是

@RequestMapping(value = "/validate", method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
public Object AddUser(@Valid @RequestBody UserInputModel userInputModel, BindingResult br, HttpServletResponse response) throws Exception {
    //Logic

}

这里我想确保传递参数不包含任何Xss,或者我如何确保HTML编码器适用于我的输入模型

提前致谢

1 个答案:

答案 0 :(得分:4)

使用Hibernate Validator&#39; @SafeHtml注释:

https://docs.jboss.org/hibernate/validator/5.2/reference/en-US/html/ch02.html#validator-defineconstraints-hv-constraints

您需要添加jsoup作为依赖项

示例:

@Entity 
public class Foo {

  @SafeHtml(...)
  private String firstName;

}

然后,如果验证实体,如果firstName包含xss

,则无效