# aiwiown-xss-thymleaf

**Repository Path**: dbin0123/aiwiown-xss-thymleaf

## Basic Information

- **Project Name**: aiwiown-xss-thymleaf
- **Description**: xss攻击
- **Primary Language**: Java
- **License**: Apache-2.0
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2019-10-25
- **Last Updated**: 2020-12-19

## Categories & Tags

**Categories**: security-dev

**Tags**: None

## README

# aiwiown-xss-thymleaf

#### 介绍
    解决web项目xss攻击

#### 使用

##### 1.导入依赖
```
<dependency>
    <groupId>com.aiwiown</groupId>
    <artifactId>aiwiown-xss-thymleaf</artifactId>
    <version>3.0.1</version>
</dependency>
```

##### 2.Filter使用
###### 2.1.shiro使用

```angular2

/**
     * Shiro过滤器
     *
     * @param securityManager
     * @return
     */
    @Bean
    public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
        ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
        shiroFilterFactoryBean.setSecurityManager(securityManager(jedisCluster));
        /**没有登陆的用户只能访问登陆页面*/
        shiroFilterFactoryBean.setLoginUrl("/login");
        /**登录成功后要跳转的链接*/
        shiroFilterFactoryBean.setSuccessUrl("/index");
        /**未授权界面; ----这个配置了没卵用，具体原因想深入了解的可以自行百度*/
        shiroFilterFactoryBean.setUnauthorizedUrl("/403");

        /**==============================================自定义拦截器============================================================*/
        LinkedHashMap<String, Filter> filtersMap = new LinkedHashMap<String, Filter>();
        /**限制同一帐号同时在线的个数*/
        filtersMap.put("xss", new RequestWrapperXSSFilter());
        shiroFilterFactoryBean.setFilters(filtersMap);

        /**================================================过滤器链定义图==============================================================**/
        LinkedHashMap<String, String> filterChainDefinitionMap = new LinkedHashMap<>();
        filterChainDefinitionMap.put("/login", "anon");
        filterChainDefinitionMap.put("/regist", "anon");
        //......其他代码......
        filterChainDefinitionMap.put("/**", "authc,xss");
        shiroFilterFactoryBean.setFilterChainDefinitionMap(filterChainDefinitionMap);
        return shiroFilterFactoryBean;
    }


```
###### 2.2.spring boot 配置

```angular2
/**
 * created at 2018-11-07 15:17
 * @author dbin0123
 */
@Configuration
public class WebConfig extends WebMvcConfigurationSupport {

	//其他代码

    /**
     * 请求包装过滤器注册
     * @return
     */
    @Bean
    public FilterRegistrationBean requestWrapperFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        //其他过滤器
        registration.setFilter(new RequestWrapperXSSFilter());
        return registration;
    }

	//其他代码
}

```
##### 3.Thymeleaf 方言配置
```angular2
/**
 * Thymeleaf 方言配置
 * <p>Title: ThymeleafDialectConfig</p>
 * <p>Description: </p>
 *
 * @author dbin0123
 * @version 1.0.0
 * @date 2019/10/25 10:57
 */
@Configuration
public class ThymeleafDialectConfig {

    /**
     * 系统方言
     * 主要作用有：
     * 1. 处理html转义后编辑显示转义字符问题 使用<input aiwiown:value="${key}"/>
     *
     * @return
     */
    @Bean(name = "unEscapeHtml4")
    public UnEscapeHtml4 unEscapeHtml4() {
        return new UnEscapeHtml4();
    }
}

```

##### 4.html使用

html头
```angular2
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org" xmlns:shiro="http://www.pollix.at/thymeleaf/shiro"
      xmlns:aiwiown="">
    <meta charset="utf-8">
```

使用th:value替换为aiwiown:value

```angular2
<input id="name" name="name" aiwiown:value="${btnInfo.btnCode}" class="form-control" type="text">

```