上传后台管理系统代码

novel-admin/src/main/java/com/java2nb/common/xss/XssAndSqlHttpServletRequestWrapper.java

@@ -0,0 +1,61 @@
+package com.java2nb.common.xss;
+
+
+import org.apache.commons.lang3.StringUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import java.util.Arrays;
+import java.util.List;
+
+public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
+    private HttpServletRequest request;
+
+    /**
+     * 假如有有html 代码是自己传来的  需要设定对应的name 不过滤
+     */
+    private static final List<String> noFilterNames = Arrays.asList("attach","push_ip");
+
+    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
+        super(request);
+        this.request = request;
+    }
+
+
+    @Override
+    public String getParameter(String name) {
+        String value = request.getParameter(name);
+        if (!StringUtils.isEmpty(value) && !noFilterNames.contains(name)) {
+            value = htmlEncodeByRegExp(value);
+        }
+        return value;
+    }
+
+    @Override
+    public String[] getParameterValues(String name) {
+        String[] parameterValues = super.getParameterValues(name);
+        if (parameterValues == null || noFilterNames.contains(name)) {
+            return parameterValues;
+        }
+        for (int i = 0; i < parameterValues.length; i++) {
+            String value = parameterValues[i];
+            if (!StringUtils.isEmpty(value)){
+                parameterValues[i] = htmlEncodeByRegExp(value);
+            }
+        }
+        return parameterValues;
+    }
+
+
+    private String htmlEncodeByRegExp(String str) {
+        String temp = "" ;
+        temp = str
+                //.replaceAll("&", "&amp;")
+                .replaceAll("<", "&lt;")
+                .replaceAll(">", "&gt;");
+                //.replaceAll("\\s", "&nbsp;")
+                //.replaceAll("\'", "&#39;")
+                //.replaceAll("\"", "&quot;");
+        return temp;
+    }
+}

novel-admin/src/main/java/com/java2nb/common/xss/XssFilter.java

@@ -0,0 +1,45 @@
+package com.java2nb.common.xss;
+
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+@WebFilter(filterName = "xssFilter", urlPatterns = "/*", asyncSupported = true)
+@Component
+public class XssFilter implements Filter {
+
+    private static final List<String> NO_XSS_PATH = Arrays.asList("/common/generator/batchCode","/common/generator/batchDownload");
+
+    @Override
+    public void destroy() {
+        // TODO Auto-generated method stub
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        // TODO Auto-generated method stub
+        HttpServletRequest req = (HttpServletRequest) request;
+        String reqURI = req.getRequestURI();
+        if(NO_XSS_PATH.contains(reqURI)){
+            chain.doFilter(request,response);
+        }else {
+            XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
+            chain.doFilter(xssRequestWrapper, response);
+        }
+    }
+
+    @Override
+    public void init(FilterConfig arg0) {
+        // TODO Auto-generated method stub
+    }
+
+
+}

novel-admin/src/main/java/com/java2nb/common/xss/XssStringJsonSerializer.java

@@ -0,0 +1,28 @@
+package com.java2nb.common.xss;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import org.apache.commons.text.StringEscapeUtils;
+
+import java.io.IOException;
+
+public class XssStringJsonSerializer extends JsonSerializer<String> {
+
+    @Override
+    public Class<String> handledType() {
+        return String.class;
+    }
+
+    /**
+     * 假如有html代码是自己传来的,需要设定对应的name,不走StringEscapeUtils.escapeHtml4(value)过滤
+     */
+    @Override
+    public void serialize(String value, JsonGenerator jsonGenerator, SerializerProvider serializerProvider)
+            throws IOException {
+        if (value != null) {
+            String encodedValue = StringEscapeUtils.escapeHtml4(value);
+            jsonGenerator.writeString(encodedValue);
+        }
+    }
+}