From 5a6c977584acf69f7bb846c6e6cba3c26fa04d98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E6=99=B6=E6=99=B6?= Date: Fri, 22 Mar 2019 18:40:19 +0800 Subject: [PATCH] =?UTF-8?q?xss=E8=BF=87=E6=BB=A4=E5=99=A8=E4=B8=ADgetParam?= =?UTF-8?q?eter=E5=92=8CgetParaterMap=E4=B8=8D=E7=94=9F=E6=95=88=E9=97=AE?= =?UTF-8?q?=E9=A2=98;=20=E6=89=A9=E5=B1=95=E5=A2=9E=E5=8A=A0=E8=84=9A?= =?UTF-8?q?=E6=9C=AC=E6=94=BB=E5=87=BB=E7=9A=84=E6=8B=A6=E6=88=AA=E9=85=8D?= =?UTF-8?q?=E7=BD=AE;?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../xss/XssHttpServletRequestWrapper.java | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssHttpServletRequestWrapper.java b/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssHttpServletRequestWrapper.java index be125f249..53ebec38d 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssHttpServletRequestWrapper.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/xss/XssHttpServletRequestWrapper.java @@ -5,6 +5,10 @@ import javax.servlet.http.HttpServletRequestWrapper; import org.jsoup.Jsoup; import org.jsoup.safety.Whitelist; +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map; + /** * XSS过滤处理 * @@ -32,9 +36,92 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { // 防xss攻击和过滤前后空格 escapseValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim(); + //zjj-自定义规则及js脚本注入过滤 + escapseValues[i] = filterXSS(escapseValues[i]); } return escapseValues; } return super.getParameterValues(name); } + + /** + *@描述 过滤getParameter中xss攻击 + *@参数 [name] + *@返回值 java.lang.String[] + *@创建人 zhangjingjing + *@创建时间 2019/3/22 + *@修改人和其它信息 + */ + public String getParameter(String parameter) { + String value = super.getParameter(parameter); + if (value == null) { + return null; + } + String result = Jsoup.clean(value, Whitelist.relaxed()).trim(); + //zjj-自定义规则及js脚本注入过滤 + result = filterXSS(result); + return result; + + } + /** + *@描述 过滤getParameterMap中xss攻击 + *@参数 [name] + *@返回值 java.lang.String[] + *@创建人 zhangjingjing + *@创建时间 2019/3/22 + *@修改人和其它信息 + */ + public Map getParameterMap() { + Map properties = super.getParameterMap(); + Map returnMap = new HashMap(); + Iterator entries = properties.entrySet().iterator(); + Map.Entry entry; + String name; + while (entries.hasNext()) { + entry = (Map.Entry) entries.next(); + name = (String) entry.getKey(); + Object valueObj = entry.getValue(); + if(null == valueObj){ + returnMap.put(name, ""); + }else if(valueObj instanceof String[]){ + String[] values = (String[]) valueObj; + int length = values.length; + String[] escapseValues = new String[length]; + for (int i = 0; i < length; i++) + { + // 防xss攻击和过滤前后空格 + String pValue = values[i]; + //System.out.println("当前map-xss过滤前参数值:"+pValue); + //zjj-jsoup过滤html标签 + escapseValues[i] = Jsoup.clean(pValue, Whitelist.relaxed()).trim(); + //zjj-自定义规则及js脚本注入过滤 + escapseValues[i] = filterXSS(escapseValues[i]); + //System.out.println("当前map-xss过滤后参数值:"+escapseValues[i]); + } + returnMap.put(name, escapseValues); + }else{ + String value = valueObj.toString(); + if (value == null) { + return null; + } + String result = Jsoup.clean(value, Whitelist.relaxed()).trim(); + //zjj-自定义规则及js脚本注入过滤 + result = filterXSS(result); + returnMap.put(name, result); + } + } + return returnMap; + } + + + private String filterXSS(String value) { + value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); + value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;"); + value = value.replaceAll("'", "& #39;"); + value = value.replaceAll("eval\\((.*)\\)", ""); + value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); + value = value.replaceAll("script", ""); + return value; + } + } \ No newline at end of file