XSS(Cross Site Scripting) 방지를 위해 널리 쓰이는 lucy-xss-servlet-filte는 form-data에 대해서만 적용되고 Request Body로 넘어가는 JSON에 대해서는 처리해주지 않는다.
Request Body에 XSS 적용
public class XssConfig {
@Configuration
@ConditionalOnClass(name="com.fasterxml.jackson.databind.ObjectMapper")
protected static class JacksonCustomizerConfig {
@Bean
public Jackson2ObjectMapperBuilderCustomizer objectMapperBuilderCustomizer() {
return customizer -> customizer.findModulesViaServiceLoader(true);
}
}
@Configuration
@ConditionalOnClass(name="com.fasterxml.jackson.databind.module.SimpleModule")
public static class JacksonModuleProvider {
@Bean
public SimpleModule xssProtectionModule() {
return new SimpleModule("XssProtectionModule", Version.unknownVersion(), Map.of(String.class, new XssProtectionJsonDeserializer()));
}
}
static class XssProtectionJsonDeserializer extends StringDeserializer implements
ContextualDeserializer {
private static final long serialVersionUID = 1L;
@Override
public JsonDeserializer<String> createContextual(final DeserializationContext c, final BeanProperty bp) {
return this;
}
@Nullable
@Override
public String deserialize(final JsonParser p, final DeserializationContext c) throws IOException {
return com.nhncorp.lucy.security.xss.XssPreventer.escape(super.deserialize(p, c));
}
}
}참고 : https://velog.io/@looniverse/xss-%EB%B0%A9%EC%96%B4-RequestBody
조제