201206030/novel-plus
1
0
Fork 0
mirror of https://github.com/201206030/novel-plus.git synced 2025-04-27 01:30:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

小说发布防xss攻击

Browse Source
This commit is contained in:
xxy 2020-05-16 13:05:44 +08:00
parent 83dc04c50b
commit e273906441
6 changed files with 59 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
novel-front/src/main/java/com/java2nb/novel/core/wrapper/XssHttpServletRequestWrapper.java
View File

@ -1,37 +1,42 @@
package com.java2nb.novel.core.wrapper; package com.java2nb.novel.core.wrapper;
import org.apache.commons.lang3.StringUtils;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletRequestWrapper;
import java.util.Arrays;
import java.util.List;
/** /**
* XSS过滤处理 * XSS过滤处理
*
* @author Administrator * @author Administrator
*/ */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
{
/**
* 假如有有html 代码是自己传来的 需要设定对应的name 不过滤
*/
private static final List<String> noFilterNames = Arrays.asList("content");
/** /**
* @param request * @param request
*/ */
public XssHttpServletRequestWrapper(HttpServletRequest request) public XssHttpServletRequestWrapper(HttpServletRequest request) {
{
super(request); super(request);
} }
@Override @Override
public String[] getParameterValues(String name) public String[] getParameterValues(String name) {
{
String[] values = super.getParameterValues(name); String[] values = super.getParameterValues(name);
if (values != null) if (!noFilterNames.contains(name) && values != null) {
{
int length = values.length; int length = values.length;
String[] escapseValues = new String[length]; String[] escapseValues = new String[length];
for (int i = 0; i < length; i++) for (int i = 0; i < length; i++) {
{ escapseValues[i] = values[i].replaceAll("<", "&lt;").replaceAll(">", "&gt;");
// 防xss攻击和过滤前后空格
escapseValues[i] = values[i].replaceAll("<","&lt;").replaceAll(">","&gt;");
} }
return escapseValues; return escapseValues;
} }
return super.getParameterValues(name); return values;
} }
} }

2
novel-front/src/main/resources/application.yml
View File

@ -23,7 +23,7 @@ xss:
# 排除链接多个用逗号分隔 # 排除链接多个用逗号分隔
excludes: /system/notice/* excludes: /system/notice/*
# 匹配链接 多个用逗号分隔 # 匹配链接 多个用逗号分隔
urlPatterns: /book/addBookComment,/user/addFeedBack urlPatterns: /book/addBookComment,/user/addFeedBack,/author/addBook,/author/addBookContent,/author/register.html

8
novel-front/src/main/resources/templates/book/book_content.html
View File

@ -2,7 +2,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.w3.org/1999/xhtml">
<head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})"> <head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})">
<title th:text="${book.bookName}+'_'+${bookIndex.indexName}+'_'+#{website.name}"></title> <title th:utext="${book.bookName}+'_'+${bookIndex.indexName}+'_'+#{website.name}"></title>
<meta name="keywords" th:content="${book.bookName}+'官方首发,'+${book.bookName}+'小说,'+${book.bookName}+'最新章节,'+${book.bookName}+'txt下载,'+${book.bookName}+'无弹窗,'+${book.bookName}+'吧,'+${book.bookName}+'离线完本'" /> <meta name="keywords" th:content="${book.bookName}+'官方首发,'+${book.bookName}+'小说,'+${book.bookName}+'最新章节,'+${book.bookName}+'txt下载,'+${book.bookName}+'无弹窗,'+${book.bookName}+'吧,'+${book.bookName}+'离线完本'" />
<meta name="description" th:content="${book.bookName}+','+${book.bookName}+'小说阅读,'+#{website.name}+'提供'+${book.bookName}+'首发最新章节及txt下载,'+${book.bookName}+'最新更新章节,精彩尽在'+#{website.name}+'。'" /> <meta name="description" th:content="${book.bookName}+','+${book.bookName}+'小说阅读,'+#{website.name}+'提供'+${book.bookName}+'首发最新章节及txt下载,'+${book.bookName}+'最新更新章节,精彩尽在'+#{website.name}+'。'" />
<link rel="stylesheet" href="/css/read.css" /> <link rel="stylesheet" href="/css/read.css" />
@ -74,7 +74,7 @@
<div class="readWrap"> <div class="readWrap">
<div class="bookNav"> <div class="bookNav">
<a href="/" >首页 </a>&gt; <a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}"> <a href="/" >首页 </a>&gt; <a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}">
</a>&gt; <a th:href="'/book/'+${book.id}+'.html'" th:text="${book.bookName}"> </a>&gt; <a th:href="'/book/'+${book.id}+'.html'" th:utext="${book.bookName}">
</a> </a>
</div> </div>
@ -82,11 +82,11 @@
<div class="textbox cf"> <div class="textbox cf">
<div class="book_title"> <div class="book_title">
<h1 th:text="${bookIndex.indexName}"> <h1 th:utext="${bookIndex.indexName}">
</h1> </h1>
<div class="textinfo"> <div class="textinfo">
类别<a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}"></a> 类别<a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}"></a>
作者<a th:href="'javascript:searchByK(\''+${book.authorName}+'\')'" th:text="${book.authorName}"></a><span th:text="'字数:'+${bookIndex.wordCount}"></span><span th:text="'更新时间:'+${#dates.format(bookIndex.updateTime, 'yy/MM/dd HH:mm:ss')}"></span> 作者<a th:href="'javascript:searchByK(\''+${book.authorName}+'\')'" th:utext="${book.authorName}"></a><span th:text="'字数:'+${bookIndex.wordCount}"></span><span th:text="'更新时间:'+${#dates.format(bookIndex.updateTime, 'yy/MM/dd HH:mm:ss')}"></span>
</div> </div>
</div> </div>
<div class="txtwrap" th:if="${needBuy}"> <div class="txtwrap" th:if="${needBuy}">

10
novel-front/src/main/resources/templates/book/book_detail.html
View File

@ -2,7 +2,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})"> <head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})">
<title th:text="${book.bookName}+'_'+${book.authorName}+'_'+${book.bookName}+'txt下载'+'_'+${book.bookName}+'无弹窗_'+#{website.name}"></title> <title th:utext="${book.bookName}+'_'+${book.authorName}+'_'+${book.bookName}+'txt下载'+'_'+${book.bookName}+'无弹窗_'+#{website.name}"></title>
<meta name="keywords" <meta name="keywords"
th:content="${book.bookName}+'官方首发,'+${book.bookName}+'小说,'+${book.bookName}+'最新章节'+${book.bookName}+'txt下载,'+${book.bookName}+'无弹窗,'+${book.bookName}+'吧,'+${book.bookName}+'离线完本'"/> th:content="${book.bookName}+'官方首发,'+${book.bookName}+'小说,'+${book.bookName}+'最新章节'+${book.bookName}+'txt下载,'+${book.bookName}+'无弹窗,'+${book.bookName}+'吧,'+${book.bookName}+'离线完本'"/>
<meta name="description" <meta name="description"
@ -31,8 +31,8 @@
th:attr="alt=${book.bookName}"/></a> th:attr="alt=${book.bookName}"/></a>
<div class="book_info"> <div class="book_info">
<div class="tit"> <div class="tit">
<h1 th:text="${book.bookName}"></h1><!--<i class="vip_b">VIP</i>--><a class="author" <h1 th:utext="${book.bookName}"></h1><!--<i class="vip_b">VIP</i>--><a class="author"
th:text="${book.authorName}+' 著'"></a> th:utext="${book.authorName}+' 著'"></a>
</div> </div>
<ul class="list"> <ul class="list">
<li><span class="item">类别:<em th:text="${book.catName}"></em></span> <li><span class="item">类别:<em th:text="${book.catName}"></em></span>
@ -70,7 +70,7 @@
</div> </div>
<ul class="list cf"> <ul class="list cf">
<li> <li>
<span class="fl font16"> <a th:href="'/book/'+${book.id}+'/'+${book.lastIndexId}+'.html'" th:text="${book.lastIndexName}"><!--<i class="vip">VIP</i>--></a></span> <span class="fl font16"> <a th:href="'/book/'+${book.id}+'/'+${book.lastIndexId}+'.html'" th:utext="${book.lastIndexName}"><!--<i class="vip">VIP</i>--></a></span>
<span class="black9 fr" <span class="black9 fr"
th:text="'更新时间:'+${#dates.format(book.lastIndexUpdateTime, 'yy/MM/dd HH:mm:ss')}"></span> th:text="'更新时间:'+${#dates.format(book.lastIndexUpdateTime, 'yy/MM/dd HH:mm:ss')}"></span>
</li> </li>
@ -143,7 +143,7 @@
<div class="msg"> <div class="msg">
<span class="icon_qyzz">签约作家</span> <span class="icon_qyzz">签约作家</span>
<h4><a th:href="'javascript:searchByK(\''+${book.authorName}+'\')'" <h4><a th:href="'javascript:searchByK(\''+${book.authorName}+'\')'"
th:text="${book.authorName}"></a></h4> th:utext="${book.authorName}"></a></h4>
</div> </div>
</div> </div>
<div class="author_intro cf"> <div class="author_intro cf">

8
novel-front/src/main/resources/templates/book/book_index.html
View File

@ -2,7 +2,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})"> <head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})">
<title th:text="${book.bookName}+'目录,'+${book.bookName}+'最新章节列表_'+#{website.name}"></title> <title th:utext="${book.bookName}+'目录,'+${book.bookName}+'最新章节列表_'+#{website.name}"></title>
<meta name="keywords" th:content="${book.bookName}+','+${book.bookName}+'目录,'+${book.bookName}+'最新章节列表'"/> <meta name="keywords" th:content="${book.bookName}+','+${book.bookName}+'目录,'+${book.bookName}+'最新章节列表'"/>
<meta name="description" <meta name="description"
th:content="#{website.name}+'小说为您提供'+${book.bookName}+'目录,'+${book.bookName}+'最新章节列表,'+${book.bookName}+'全文阅读,'+${book.bookName}+'免费阅读,'+${book.bookName}+'下载'"/> th:content="#{website.name}+'小说为您提供'+${book.bookName}+'目录,'+${book.bookName}+'最新章节列表,'+${book.bookName}+'全文阅读,'+${book.bookName}+'免费阅读,'+${book.bookName}+'下载'"/>
@ -26,11 +26,11 @@
<div class="bookCover cf"> <div class="bookCover cf">
<div class="book_info1"> <div class="book_info1">
<div class="tit"> <div class="tit">
<h1 th:text="${book.bookName}"></h1><!--<i class="vip_b">VIP</i>--> <h1 th:utext="${book.bookName}"></h1><!--<i class="vip_b">VIP</i>-->
</div> </div>
<ul class="list"> <ul class="list">
<li> <li>
<span>作者<a href="javascript:void(0)" th:text="${book.authorName}"></a></span> <span>作者<a href="javascript:void(0)" th:utext="${book.authorName}"></a></span>
<span>类别<a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}"></a></span> <span>类别<a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}"></a></span>
<span th:switch="${book.bookStatus}">状态<em class="black3" th:case="'0'">连载中</em><em class="black3" <span th:switch="${book.bookStatus}">状态<em class="black3" th:case="'0'">连载中</em><em class="black3"
th:case="*">已完结</em></span> th:case="*">已完结</em></span>
@ -45,7 +45,7 @@
<div class="dirList"> <div class="dirList">
<ul th:each="bookIndex : ${bookIndexList}"> <ul th:each="bookIndex : ${bookIndexList}">
<li><a th:if="${bookIndex.isVip} != '1'" th:href="'/book/'+${book.id}+'/'+${bookIndex.id}+'.html'" > <li><a th:if="${bookIndex.isVip} != '1'" th:href="'/book/'+${book.id}+'/'+${bookIndex.id}+'.html'" >
<span th:text="${bookIndex.indexName}"></span><i class="red" > [免费]</i> <span th:utext="${bookIndex.indexName}"></span><i class="red" > [免费]</i>
</a> </a>
<a th:if="${bookIndex.isVip} == '1'" th:href="'/book/'+${book.id}+'/'+${bookIndex.id}+'.html'" th:text="${bookIndex.indexName}"> <a th:if="${bookIndex.isVip} == '1'" th:href="'/book/'+${book.id}+'/'+${bookIndex.id}+'.html'" th:text="${bookIndex.indexName}">
</a></li> </a></li>

50
novel-front/src/main/resources/templates/user/set_name.html
View File

@ -1,4 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <html xmlns="http://www.w3.org/1999/xhtml">
<head th:replace="common/header :: common_head(~{::title},~{},~{::link})"> <head th:replace="common/header :: common_head(~{::title},~{},~{::link})">
<title th:text="'修改昵称_'+#{website.name}"></title> <title th:text="'修改昵称_'+#{website.name}"></title>
@ -24,21 +25,26 @@
<div class="my_r"> <div class="my_r">
<div class="my_info cf"> <div class="my_info cf">
<div class="my_info_txt"> <div class="my_info_txt">
<div class="aspNetHidden"> <div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTI5MzkzMzQyMw9kFgJmD2QWAmYPFgIeBFRleHQFqAE8YSBocmVmPSIvc2VhcmNoLmFzcHg/c2VhcmNoS2V5PeWWu+Wuiembr++8jOeLhOazve+8jOeBteW8gu+8jOWJjeS4luS7iueUn++8jOWGpeeOi+msvOWkqyIgdGFyZ2V0PSJfYmxhbmsiPuWWu+Wuiembr++8jOeLhOazve+8jOeBteW8gu+8jOWJjeS4luS7iueUn++8jOWGpeeOi+msvOWkqzwvYT5kZLj1Uo6akAHRsP9HH/tJWCPmjwlzm9tv02sZRfbbCnBA" /> <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
</div> value="/wEPDwUKMTI5MzkzMzQyMw9kFgJmD2QWAmYPFgIeBFRleHQFqAE8YSBocmVmPSIvc2VhcmNoLmFzcHg/c2VhcmNoS2V5PeWWu+Wuiembr++8jOeLhOazve+8jOeBteW8gu+8jOWJjeS4luS7iueUn++8jOWGpeeOi+msvOWkqyIgdGFyZ2V0PSJfYmxhbmsiPuWWu+Wuiembr++8jOeLhOazve+8jOeBteW8gu+8jOWJjeS4luS7iueUn++8jOWGpeeOi+msvOWkqzwvYT5kZLj1Uo6akAHRsP9HH/tJWCPmjwlzm9tv02sZRfbbCnBA"/>
</div>
<div class="aspNetHidden"> <div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="6C876674" /> <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="6C876674"/>
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAAO8SPdUDpH0Q7nHjeqbvI7ld2C+OxfjpZOniBJbql7XdnRgTJ25FWigbeFr84Vgoxdi/cg2vS37N0KER6F1nyr1wKHztnXmDR5zls+9dCeAZg==" /> <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION"
</div> value="/wEdAAO8SPdUDpH0Q7nHjeqbvI7ld2C+OxfjpZOniBJbql7XdnRgTJ25FWigbeFr84Vgoxdi/cg2vS37N0KER6F1nyr1wKHztnXmDR5zls+9dCeAZg=="/>
<ul class="mytab_list"> </div>
<li><i class="tit">我的昵称</i><input name="txtNiceName" type="text" value="15171695474" maxlength="20" id="txtNiceName" class="s_input" placeholder="" /></li> <ul class="mytab_list">
<li><i class="tit">&nbsp;</i>用户名只能包括汉字、英文字母、数字和下划线</li> <li><i class="tit">我的昵称</i><input name="txtNiceName" type="text" value="15171695474"
<li><i class="tit">&nbsp;</i><input type="button" onclick="updateName()" name="btn" value="修改" id="btn" class="s_btn btn_red" /></li> maxlength="20" id="txtNiceName" class="s_input"
<li><i class="tit">&nbsp;</i><span id="LabErr"></span></li> placeholder=""/></li>
</ul> <li><i class="tit">&nbsp;</i>用户名只能包括汉字、英文字母、数字和下划线</li>
<li><i class="tit">&nbsp;</i><input type="button" onclick="updateName()" name="btn" value="修改"
id="btn" class="s_btn btn_red"/></li>
<li><i class="tit">&nbsp;</i><span id="LabErr"></span></li>
</ul>
</div> </div>
</div> </div>
</div> </div>
@ -57,14 +63,13 @@
dataType: "json", dataType: "json",
success: function (data) { success: function (data) {
if (data.code == 200) { if (data.code == 200) {
if(data.data.nickName){ if (data.data.nickName) {
$("#txtNiceName").val(data.data.nickName); $("#txtNiceName").val(data.data.nickName);
}else{ } else {
$("#txtNiceName").val(data.data.username); $("#txtNiceName").val(data.data.username);
} }
} else if (data.code == 1001) { } else if (data.code == 1001) {
//未登录 //未登录
location.href = '/user/login.html?originUrl=' + decodeURIComponent(location.href); location.href = '/user/login.html?originUrl=' + decodeURIComponent(location.href);
@ -78,27 +83,26 @@
layer.alert('网络异常'); layer.alert('网络异常');
} }
}) })
function updateName() { function updateName() {
var nickname = $("#txtNiceName").val(); var nickname = $("#txtNiceName").val();
if(nickname.isBlank()){ if (nickname.isBlank()) {
$("#LabErr").html("昵称不能为空!"); $("#LabErr").html("昵称不能为空!");
return; return;
} }
if(!nickname.isNickName()){ if (!nickname.isNickName()) {
$("#LabErr").html("昵称格式不正确!"); $("#LabErr").html("昵称格式不正确!");
return; return;
} }
$.ajax({ $.ajax({
type: "POST", type: "POST",
url: "/user/updateUserInfo", url: "/user/updateUserInfo",
data: {'nickName':nickname}, data: {'nickName': nickname},
dataType: "json", dataType: "json",
success: function (data) { success: function (data) {
if (data.code == 200) { if (data.code == 200) {
if(data.data.token){ $.cookie('Authorization', data.data.token, {path: '/'});
$.cookie('Authorization', data.data.token,{ path: '/' });
}
window.location.href = '/user/setup.html'; window.location.href = '/user/setup.html';
} else if (data.code == 1001) { } else if (data.code == 1001) {