How to Prevent XSS Attacks with mica-xss: A Step-by-Step Guide

What is XSS

XSS (Cross Site Scripting) is a common web security vulnerability that allows malicious code to be injected into pages viewed by other users.

XSS Attack Flow

Simple XSS Attack Example

If a form does not sanitize input, a user can submit malicious code that the browser will execute.

Solutions

XSS Filtering Explanation

Apply XSS processing to string parameters bound to forms.

Apply XSS processing to JSON string data.

Provide route and controller method level allow‑list rules.

Using mica-xss

Add the following Maven dependency:

<code>&lt;!--XSS 安全过滤--&gt;
&lt;dependency&gt;
  &lt;groupId&gt;net.dreamlu&lt;/groupId&gt;
  &lt;artifactId&gt;mica-core&lt;/artifactId&gt;
  &lt;version&gt;2.0.9-GA&lt;/version&gt;
&lt;/dependency&gt;
&lt;dependency&gt;
  &lt;groupId&gt;net.dreamlu&lt;/groupId&gt;
  &lt;artifactId&gt;mica-xss&lt;/artifactId&gt;
  &lt;version&gt;2.0.9-GA&lt;/version&gt;
&lt;/dependency&gt;</code>

Testing XSS Filtering

Testing GET Parameter Filtering

Create a target endpoint to simulate a GET request.

<code>@GetMapping("/xss")
public String xss(String params) {
  return params;
}</code>

Expect an empty response when the parameter is filtered.

<code>curl --location --request GET 'http://localhost:8080/xss?params=%3Cscript%3Ealert(%27xxx%27)%3C/script%3E'</code>

Testing POST Form Parameter Filtering

Create a target endpoint to simulate a POST form submission.

<code>@PostMapping("/xss")
public String xss(String params) {
  return params;
}</code>

Expect an empty response when the parameter is filtered.

<code>curl --location --request POST 'http://localhost:8080/xss' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'params=<script>alert(''xxx'')</script>'</code>

Testing POST Body Parameter Filtering

Create a target endpoint to simulate a POST body submission.

<code>@PostMapping("/xss")
public String xss(@RequestBody Map<String,String> body) {
  return body.get("params");
}</code>

Expect an empty response when the parameter is filtered.

<code>curl --location --request POST 'http://localhost:8080/xss' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "params":"<script>alert(''XXX'')</script>"
}'</code>

Skipping Filtering for Certain Endpoints

You can use the @XssCleanIgnore annotation to ignore filtering at method or class level.

<code>@XssCleanIgnore
@PostMapping("/xss")
public String xss(@RequestBody Map<String,String> body) {
  return body.get("params");
}</code>

Principle Analysis

Common Implementation Analysis

Most solutions add an XssFilter that intercepts user‑submitted parameters, performs escaping and blacklist exclusion, and then proceeds with business logic.

The core is to wrap the original request with a new request wrapper so the request stream can be read repeatedly downstream.

mica-xss Implementation

1. Custom WebDataBinder Editor for Form Filtering

Spring's WebDataBinder binds request parameters to JavaBeans. By providing a custom editor, you can filter input during the binding process.

2. Custom JsonDeserializer for JSON Filtering

Spring Boot uses Jackson for JSON (de)serialization. By implementing a custom JsonDeserializer, you can filter JSON payloads before they are bound to Java objects.

3. Core Filtering Logic

mica-xss leverages Jsoup, which implements the WHATWG HTML5 specification and parses HTML into a DOM identical to modern browsers.

Extract and parse HTML from URLs, files, or strings.

Traverse the DOM or use CSS selectors to find and extract data.

Manipulate HTML elements, attributes, and text.

Sanitize user‑submitted content using a whitelist to prevent XSS attacks.

Output clean, well‑formed HTML.

Source code: https://gitee.com/596392912/mica