ruoyi
/
RuoYi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

xss过滤器中getParameter和getParaterMap不生效问题; 

扩展增加脚本攻击的拦截配置;
This commit is contained in:
张晶晶 2019-03-22 18:40:19 +08:00
parent 0cec24d90b
commit 5a6c977584
1 changed files with 87 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
ruoyi-common/src/main/java/com/ruoyi/common/xss/XssHttpServletRequestWrapper.java
View File

@ -5,6 +5,10 @@ import javax.servlet.http.HttpServletRequestWrapper;
import org.jsoup.Jsoup; import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist; import org.jsoup.safety.Whitelist;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
/** /**
* XSS过滤处理 * XSS过滤处理
* *
@ -32,9 +36,92 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
{ {
// 防xss攻击和过滤前后空格 // 防xss攻击和过滤前后空格
escapseValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim(); escapseValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim();
//zjj-自定义规则及js脚本注入过滤
escapseValues[i] = filterXSS(escapseValues[i]);
} }
return escapseValues; return escapseValues;
} }
return super.getParameterValues(name); return super.getParameterValues(name);
} }
/**
*@描述 过滤getParameter中xss攻击
*@参数 [name]
*@返回值 java.lang.String[]
*@创建人 zhangjingjing
*@创建时间 2019/3/22
*@修改人和其它信息
*/
public String getParameter(String parameter) {
String value = super.getParameter(parameter);
if (value == null) {
return null;
}
String result = Jsoup.clean(value, Whitelist.relaxed()).trim();
//zjj-自定义规则及js脚本注入过滤
result = filterXSS(result);
return result;
}
/**
*@描述 过滤getParameterMap中xss攻击
*@参数 [name]
*@返回值 java.lang.String[]
*@创建人 zhangjingjing
*@创建时间 2019/3/22
*@修改人和其它信息
*/
public Map<String, String[]> getParameterMap() {
Map properties = super.getParameterMap();
Map returnMap = new HashMap();
Iterator entries = properties.entrySet().iterator();
Map.Entry entry;
String name;
while (entries.hasNext()) {
entry = (Map.Entry) entries.next();
name = (String) entry.getKey();
Object valueObj = entry.getValue();
if(null == valueObj){
returnMap.put(name, "");
}else if(valueObj instanceof String[]){
String[] values = (String[]) valueObj;
int length = values.length;
String[] escapseValues = new String[length];
for (int i = 0; i < length; i++)
{
// 防xss攻击和过滤前后空格
String pValue = values[i];
//System.out.println("当前map-xss过滤前参数值:"+pValue);
//zjj-jsoup过滤html标签
escapseValues[i] = Jsoup.clean(pValue, Whitelist.relaxed()).trim();
//zjj-自定义规则及js脚本注入过滤
escapseValues[i] = filterXSS(escapseValues[i]);
//System.out.println("当前map-xss过滤后参数值:"+escapseValues[i]);
}
returnMap.put(name, escapseValues);
}else{
String value = valueObj.toString();
if (value == null) {
return null;
}
String result = Jsoup.clean(value, Whitelist.relaxed()).trim();
//zjj-自定义规则及js脚本注入过滤
result = filterXSS(result);
returnMap.put(name, result);
}
}
return returnMap;
}
private String filterXSS(String value) {
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
} }