json 파라미터 xss필터 처리 (request, response)

api 개발 중, naver lucy는 json 데이터에 필터 처리가 안되어 추가로 설정해주었습니다.

 

request 받은 json 데이터에 xss 필터 처리 방법

- Controller 진입 전에 필터링 처리를 완료

 

1. naver lucy 관련 maven, xml파일 추가

    - naver lucy github 참고

 

2. XssConfig.class 파일을 추가

    - json 객체를 java 객체로 변환 후 json형식의 데이터를 String으로 전환 후 xss 필터링 처리

public class XssConfig extends JsonDeserializer<String> {
    @Override
    public String deserialize(JsonParser p, DeserializationContext ctxt)
            throws IOException, JsonProcessingException {
        try {
            // xss filtering
            String replaced = XssPreventer.escape((String) p.getValueAsString());
            return replaced;
        } catch (Exception e) {
            e.printStackTrace();
            throw e;
        }
    }
}

 

3. xss 필터링 하고 싶은 DTO 컬럼에 어노테이션 추가

@JsonDeserialize(using = XssConfig.class)
private String boardTitle;

 

response 보내는 json 데이터에 xss 필터 처리 방법

1. pom.xml에 추가

<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-text -->
<dependency>
	<groupId>org.apache.commons</groupId>
	<artifactId>commons-text</artifactId>
	<version>1.9</version>
</dependency>

 

2. HtmlCharacterEscapes.class 파일을 새로 생성

public class HtmlCharacterEscapes extends CharacterEscapes {

    private final int[] asciiEscapes;

    public HtmlCharacterEscapes() {
        // 1. XSS 방지 처리할 특수 문자 지정
        asciiEscapes = CharacterEscapes.standardAsciiEscapesForJSON();
        asciiEscapes['<'] = CharacterEscapes.ESCAPE_CUSTOM;
        asciiEscapes['>'] = CharacterEscapes.ESCAPE_CUSTOM;
        asciiEscapes['&'] = CharacterEscapes.ESCAPE_CUSTOM;
        asciiEscapes['\"'] = CharacterEscapes.ESCAPE_CUSTOM;
        asciiEscapes['('] = CharacterEscapes.ESCAPE_CUSTOM;
        asciiEscapes[')'] = CharacterEscapes.ESCAPE_CUSTOM;
        asciiEscapes['#'] = CharacterEscapes.ESCAPE_CUSTOM;
        asciiEscapes['\''] = CharacterEscapes.ESCAPE_CUSTOM;

    }

    @Override
    public int[] getEscapeCodesForAscii() {
        return asciiEscapes;
    }

    @Override
    public SerializableString getEscapeSequence(int ch) {
        return new SerializedString(StringEscapeUtils.escapeHtml4(Character.toString((char) ch)));
    }

}

 

3. WebMvcConfig.class 파일을 새로 생성

@Slf4j
@RequiredArgsConstructor
@Configuration
public class WebMvcConfig {

    private final ObjectMapper objectMapper;

    @Bean
    public MappingJackson2HttpMessageConverter jsonEscapeConverter() {
        ObjectMapper copy = objectMapper.copy();
        copy.getFactory().setCharacterEscapes(new HtmlCharacterEscapes());
        return new MappingJackson2HttpMessageConverter(copy);
    }
}

 

* json response xss 처리 결과

 

참고)

https://circlee7.medium.com/spring-boot-jackson-json-xss-%EC%B2%98%EB%A6%AC-fdc85a18e9f2
https://velog.io/@tjddnths0223/SpringBoot-JSON-API%EC%97%90%EC%84%9C-XSS-Filter-%EC%A0%81%EC%9A%A9%ED%95%98%EA%B8%B0