Struts 2 防御存储型XSS攻击

在Struts中拦截XSS攻击可以通过配置拦截器来实现。以下是一个示例代码来演示如何在Struts中拦截XSS攻击：

创建XSS拦截器类

1. 创建一个XSS拦截器类，实现com.opensymphony.xwork2.interceptor.Interceptor接口。

   import com.hoau.hbdp.framework.define.Protocol;
   import com.hoau.hbdp.framework.server.context.AppContext;
   import com.hoau.hbdp.framework.server.web.interceptor.AbstractInterceptor;
   import com.hoau.hbdp.framework.server.web.result.json.JSONPopulator;
   import com.hoau.hbdp.framework.server.web.result.json.annotation.JSON;
   import com.hoau.hbdp.framework.server.web.xss.ParametersValidatorException;
   import com.opensymphony.xwork2.ActionInvocation;
   import org.apache.commons.logging.Log;
   import org.apache.commons.logging.LogFactory;
   import org.apache.struts2.ServletActionContext;
   import org.codehaus.jackson.map.ObjectMapper;
   import org.springframework.core.annotation.AnnotationUtils;
   import org.springframework.util.ReflectionUtils;
    
   import javax.servlet.http.HttpServletRequest;
   import javax.servlet.http.HttpServletResponse;
   import java.io.BufferedReader;
   import java.lang.reflect.Method;
   import java.util.Map;
   import java.util.regex.Pattern;
    
   /**
    * @author 
    * @desc 防存储箱Xss攻击
    * @date 2023/11/06 10:43
    **/
   public class XssInterceptor extends AbstractInterceptor {
    
       private static final long serialVersionUID = -3423290391156261612L;
    
       private final Log log = LogFactory.getLog(getClass());
    
       /**
        * 序列化及缓存类
        */
       private static final ObjectMapper MAPPER = new ObjectMapper();
    
    
       /**
        * JSON格式反序列化并绑定到Action中的属性上
        *
        * @param invocation
        * @return
        * @throws Exception
        * @since:
        * @see com.opensymphony.xwork2.interceptor.AbstractInterceptor#intercept(ActionInvocation)
        * intercept
        */
       @Override
       public String intercept(ActionInvocation invocation) throws Exception {
           HttpServletRequest request = ServletActionContext.getRequest();
           HttpServletResponse response = ServletActionContext.getResponse();
           String contentType = request.getHeader("content-type");
           if (contentType != null) {
               int iSemicolonIdx = contentType.indexOf(';');
               if (iSemicolonIdx != -1) {
                   contentType = contentType.substring(0, iSemicolonIdx);
               }
           }
    
           Object rootObject = invocation.getAction();
    
           Class clazz = invocation.getAction().getClass();
           String methodName = invocation.getProxy().getMethod();
           Method method = ReflectionUtils.findMethod(clazz, methodName);
           //如果在Action方法上加入JSON的注解，那么就可以在应用这个方法的时候，把错误的结果信息转换为json
           if (Protocol.JSON_CONTENT_TYPE.equalsIgnoreCase(contentType) || AnnotationUtils.isAnnotationDeclaredLocally(JSON.class, clazz)
                   || (method != null && method.isAnnotationPresent(JSON.class))) {
               BufferedReader reader = request.getReader();
               int bytesRead;
               StringBuilder stringBuilder = new StringBuilder();
               char[] charBuffer = new char[2048];
               while ((bytesRead = reader.read(charBuffer)) > 0) {
                   stringBuilder.append(charBuffer, 0, bytesRead);
               }
               if (stringBuilder.toString().length() > 0) {
                   //过滤参数
                   try {
                       String valuestr = AppContext.getParametersValidator().doValidator(stringBuilder.toString(), response);
                       valuestr = stripXSS(valuestr);
                       @SuppressWarnings("rawtypes")
                       Map json = MAPPER.readValue(valuestr, Map.class);
                       JSONPopulator.populateObject(rootObject, json);
                   } catch (ParametersValidatorException e) {
                       return "success";
                   }
               }
           } else {
               if (log.isDebugEnabled()) {
                   log.debug("Content type must be 'application/json' or 'application/json-rpc'. Ignoring request with content type "
                           + contentType);
               }
           }
           return invocation.invoke();
       }
    
       private String stripXSS(String value) {
           if (value != null) {
               value = value.replaceAll("", "");
               Pattern scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
               value = scriptPattern.matcher(value).replaceAll("");
    
               // Avoid anything in a src='...' type of expression
               scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
               value = scriptPattern.matcher(value).replaceAll("");
    
               scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
               value = scriptPattern.matcher(value).replaceAll("");
    
               scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
               value = scriptPattern.matcher(value).replaceAll("");
    
               // Remove any lonesome  tag
               scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE);
               value = scriptPattern.matcher(value).replaceAll("");
    
               // Remove any lonesome