201206030/novel-plus
1
0
Fork 0
mirror of https://github.com/201206030/novel-plus.git synced 2025-04-27 01:30:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

小说发布防xss攻击

Browse Source
This commit is contained in:
xxy 2020-05-16 13:05:44 +08:00
parent 83dc04c50b
commit e273906441
6 changed files with 59 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
novel-front/src/main/java/com/java2nb/novel/core/wrapper/XssHttpServletRequestWrapper.java
View File

@ -1,37 +1,42 @@
package com.java2nb.novel.core.wrapper;
import org.apache.commons.lang3.StringUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.Arrays;
import java.util.List;
/**
* XSS过滤处理
*
* @author Administrator
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
{
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* 假如有有html 代码是自己传来的 需要设定对应的name 不过滤
*/
private static final List<String> noFilterNames = Arrays.asList("content");
/**
* @param request
*/
public XssHttpServletRequestWrapper(HttpServletRequest request)
{
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String[] getParameterValues(String name)
{
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values != null)
{
if (!noFilterNames.contains(name) && values != null) {
int length = values.length;
String[] escapseValues = new String[length];
for (int i = 0; i < length; i++)
{
// 防xss攻击和过滤前后空格
escapseValues[i] = values[i].replaceAll("<","&lt;").replaceAll(">","&gt;");
for (int i = 0; i < length; i++) {
escapseValues[i] = values[i].replaceAll("<", "&lt;").replaceAll(">", "&gt;");
}
return escapseValues;
}
return super.getParameterValues(name);
return values;
}
}

2
novel-front/src/main/resources/application.yml
View File

@ -23,7 +23,7 @@ xss:
# 排除链接多个用逗号分隔
excludes: /system/notice/*
# 匹配链接 多个用逗号分隔
urlPatterns: /book/addBookComment,/user/addFeedBack
urlPatterns: /book/addBookComment,/user/addFeedBack,/author/addBook,/author/addBookContent,/author/register.html

8
novel-front/src/main/resources/templates/book/book_content.html
View File

@ -2,7 +2,7 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.w3.org/1999/xhtml">
<head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})">
<title th:text="${book.bookName}+'_'+${bookIndex.indexName}+'_'+#{website.name}"></title>
<title th:utext="${book.bookName}+'_'+${bookIndex.indexName}+'_'+#{website.name}"></title>
<meta name="keywords" th:content="${book.bookName}+'官方首发,'+${book.bookName}+'小说,'+${book.bookName}+'最新章节,'+${book.bookName}+'txt下载,'+${book.bookName}+'无弹窗,'+${book.bookName}+'吧,'+${book.bookName}+'离线完本'" />
<meta name="description" th:content="${book.bookName}+','+${book.bookName}+'小说阅读,'+#{website.name}+'提供'+${book.bookName}+'首发最新章节及txt下载,'+${book.bookName}+'最新更新章节,精彩尽在'+#{website.name}+'。'" />
<link rel="stylesheet" href="/css/read.css" />
@ -74,7 +74,7 @@
<div class="readWrap">
<div class="bookNav">
<a href="/" >首页 </a>&gt; <a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}">
</a>&gt; <a th:href="'/book/'+${book.id}+'.html'" th:text="${book.bookName}">
</a>&gt; <a th:href="'/book/'+${book.id}+'.html'" th:utext="${book.bookName}">
</a>
</div>
@ -82,11 +82,11 @@
<div class="textbox cf">
<div class="book_title">
<h1 th:text="${bookIndex.indexName}">
<h1 th:utext="${bookIndex.indexName}">
</h1>
<div class="textinfo">
类别<a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}"></a>
作者<a th:href="'javascript:searchByK(\''+${book.authorName}+'\')'" th:text="${book.authorName}"></a><span th:text="'字数:'+${bookIndex.wordCount}"></span><span th:text="'更新时间:'+${#dates.format(bookIndex.updateTime, 'yy/MM/dd HH:mm:ss')}"></span>
作者<a th:href="'javascript:searchByK(\''+${book.authorName}+'\')'" th:utext="${book.authorName}"></a><span th:text="'字数:'+${bookIndex.wordCount}"></span><span th:text="'更新时间:'+${#dates.format(bookIndex.updateTime, 'yy/MM/dd HH:mm:ss')}"></span>
</div>
</div>
<div class="txtwrap" th:if="${needBuy}">

10
novel-front/src/main/resources/templates/book/book_detail.html
View File

@ -2,7 +2,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})">
<title th:text="${book.bookName}+'_'+${book.authorName}+'_'+${book.bookName}+'txt下载'+'_'+${book.bookName}+'无弹窗_'+#{website.name}"></title>
<title th:utext="${book.bookName}+'_'+${book.authorName}+'_'+${book.bookName}+'txt下载'+'_'+${book.bookName}+'无弹窗_'+#{website.name}"></title>
<meta name="keywords"
th:content="${book.bookName}+'官方首发,'+${book.bookName}+'小说,'+${book.bookName}+'最新章节'+${book.bookName}+'txt下载,'+${book.bookName}+'无弹窗,'+${book.bookName}+'吧,'+${book.bookName}+'离线完本'"/>
<meta name="description"
@ -31,8 +31,8 @@
th:attr="alt=${book.bookName}"/></a>
<div class="book_info">
<div class="tit">
<h1 th:text="${book.bookName}"></h1><!--<i class="vip_b">VIP</i>--><a class="author"
th:text="${book.authorName}+' 著'"></a>
<h1 th:utext="${book.bookName}"></h1><!--<i class="vip_b">VIP</i>--><a class="author"
th:utext="${book.authorName}+' 著'"></a>
</div>
<ul class="list">
<li><span class="item">类别:<em th:text="${book.catName}"></em></span>
@ -70,7 +70,7 @@
</div>
<ul class="list cf">
<li>
<span class="fl font16"> <a th:href="'/book/'+${book.id}+'/'+${book.lastIndexId}+'.html'" th:text="${book.lastIndexName}"><!--<i class="vip">VIP</i>--></a></span>
<span class="fl font16"> <a th:href="'/book/'+${book.id}+'/'+${book.lastIndexId}+'.html'" th:utext="${book.lastIndexName}"><!--<i class="vip">VIP</i>--></a></span>
<span class="black9 fr"
th:text="'更新时间:'+${#dates.format(book.lastIndexUpdateTime, 'yy/MM/dd HH:mm:ss')}"></span>
</li>
@ -143,7 +143,7 @@
<div class="msg">
<span class="icon_qyzz">签约作家</span>
<h4><a th:href="'javascript:searchByK(\''+${book.authorName}+'\')'"
th:text="${book.authorName}"></a></h4>
th:utext="${book.authorName}"></a></h4>
</div>
</div>
<div class="author_intro cf">

8
novel-front/src/main/resources/templates/book/book_index.html
View File

@ -2,7 +2,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head th:replace="common/header :: common_head(~{::title},~{::meta},~{::link})">
<title th:text="${book.bookName}+'目录,'+${book.bookName}+'最新章节列表_'+#{website.name}"></title>
<title th:utext="${book.bookName}+'目录,'+${book.bookName}+'最新章节列表_'+#{website.name}"></title>
<meta name="keywords" th:content="${book.bookName}+','+${book.bookName}+'目录,'+${book.bookName}+'最新章节列表'"/>
<meta name="description"
th:content="#{website.name}+'小说为您提供'+${book.bookName}+'目录,'+${book.bookName}+'最新章节列表,'+${book.bookName}+'全文阅读,'+${book.bookName}+'免费阅读,'+${book.bookName}+'下载'"/>
@ -26,11 +26,11 @@
<div class="bookCover cf">
<div class="book_info1">
<div class="tit">
<h1 th:text="${book.bookName}"></h1><!--<i class="vip_b">VIP</i>-->
<h1 th:utext="${book.bookName}"></h1><!--<i class="vip_b">VIP</i>-->
</div>
<ul class="list">
<li>
<span>作者<a href="javascript:void(0)" th:text="${book.authorName}"></a></span>
<span>作者<a href="javascript:void(0)" th:utext="${book.authorName}"></a></span>
<span>类别<a th:href="'/book/bookclass.html?c='+${book.catId}" th:text="${book.catName}"></a></span>
<span th:switch="${book.bookStatus}">状态<em class="black3" th:case="'0'">连载中</em><em class="black3"
th:case="*">已完结</em></span>
@ -45,7 +45,7 @@
<div class="dirList">
<ul th:each="bookIndex : ${bookIndexList}">
<li><a th:if="${bookIndex.isVip} != '1'" th:href="'/book/'+${book.id}+'/'+${bookIndex.id}+'.html'" >
<span th:text="${bookIndex.indexName}"></span><i class="red" > [免费]</i>
<span th:utext="${bookIndex.indexName}"></span><i class="red" > [免费]</i>
</a>
<a th:if="${bookIndex.isVip} == '1'" th:href="'/book/'+${book.id}+'/'+${bookIndex.id}+'.html'" th:text="${bookIndex.indexName}">
</a></li>

50
novel-front/src/main/resources/templates/user/set_name.html
View File

@ -1,4 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head th:replace="common/header :: common_head(~{::title},~{},~{::link})">
<title th:text="'修改昵称_'+#{website.name}"></title>
@ -24,21 +25,26 @@
<div class="my_r">
<div class="my_info cf">
<div class="my_info_txt">
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTI5MzkzMzQyMw9kFgJmD2QWAmYPFgIeBFRleHQFqAE8YSBocmVmPSIvc2VhcmNoLmFzcHg/c2VhcmNoS2V5PeWWu+Wuiembr++8jOeLhOazve+8jOeBteW8gu+8jOWJjeS4luS7iueUn++8jOWGpeeOi+msvOWkqyIgdGFyZ2V0PSJfYmxhbmsiPuWWu+Wuiembr++8jOeLhOazve+8jOeBteW8gu+8jOWJjeS4luS7iueUn++8jOWGpeeOi+msvOWkqzwvYT5kZLj1Uo6akAHRsP9HH/tJWCPmjwlzm9tv02sZRfbbCnBA" />
</div>
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwUKMTI5MzkzMzQyMw9kFgJmD2QWAmYPFgIeBFRleHQFqAE8YSBocmVmPSIvc2VhcmNoLmFzcHg/c2VhcmNoS2V5PeWWu+Wuiembr++8jOeLhOazve+8jOeBteW8gu+8jOWJjeS4luS7iueUn++8jOWGpeeOi+msvOWkqyIgdGFyZ2V0PSJfYmxhbmsiPuWWu+Wuiembr++8jOeLhOazve+8jOeBteW8gu+8jOWJjeS4luS7iueUn++8jOWGpeeOi+msvOWkqzwvYT5kZLj1Uo6akAHRsP9HH/tJWCPmjwlzm9tv02sZRfbbCnBA"/>
</div>
<div class="aspNetHidden">
<div class="aspNetHidden">
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="6C876674" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAAO8SPdUDpH0Q7nHjeqbvI7ld2C+OxfjpZOniBJbql7XdnRgTJ25FWigbeFr84Vgoxdi/cg2vS37N0KER6F1nyr1wKHztnXmDR5zls+9dCeAZg==" />
</div>
<ul class="mytab_list">
<li><i class="tit">我的昵称</i><input name="txtNiceName" type="text" value="15171695474" maxlength="20" id="txtNiceName" class="s_input" placeholder="" /></li>
<li><i class="tit">&nbsp;</i>用户名只能包括汉字、英文字母、数字和下划线</li>
<li><i class="tit">&nbsp;</i><input type="button" onclick="updateName()" name="btn" value="修改" id="btn" class="s_btn btn_red" /></li>
<li><i class="tit">&nbsp;</i><span id="LabErr"></span></li>
</ul>
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="6C876674"/>
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION"
value="/wEdAAO8SPdUDpH0Q7nHjeqbvI7ld2C+OxfjpZOniBJbql7XdnRgTJ25FWigbeFr84Vgoxdi/cg2vS37N0KER6F1nyr1wKHztnXmDR5zls+9dCeAZg=="/>
</div>
<ul class="mytab_list">
<li><i class="tit">我的昵称</i><input name="txtNiceName" type="text" value="15171695474"
maxlength="20" id="txtNiceName" class="s_input"
placeholder=""/></li>
<li><i class="tit">&nbsp;</i>用户名只能包括汉字、英文字母、数字和下划线</li>
<li><i class="tit">&nbsp;</i><input type="button" onclick="updateName()" name="btn" value="修改"
id="btn" class="s_btn btn_red"/></li>
<li><i class="tit">&nbsp;</i><span id="LabErr"></span></li>
</ul>
</div>
</div>
</div>
@ -57,14 +63,13 @@
dataType: "json",
success: function (data) {
if (data.code == 200) {
if(data.data.nickName){
if (data.data.nickName) {
$("#txtNiceName").val(data.data.nickName);
}else{
} else {
$("#txtNiceName").val(data.data.username);
}
} else if (data.code == 1001) {
//未登录
location.href = '/user/login.html?originUrl=' + decodeURIComponent(location.href);
@ -78,27 +83,26 @@
layer.alert('网络异常');
}
})
function updateName() {
var nickname = $("#txtNiceName").val();
if(nickname.isBlank()){
if (nickname.isBlank()) {
$("#LabErr").html("昵称不能为空!");
return;
}
if(!nickname.isNickName()){
if (!nickname.isNickName()) {
$("#LabErr").html("昵称格式不正确!");
return;
}
$.ajax({
type: "POST",
url: "/user/updateUserInfo",
data: {'nickName':nickname},
data: {'nickName': nickname},
dataType: "json",
success: function (data) {
if (data.code == 200) {
if(data.data.token){
$.cookie('Authorization', data.data.token,{ path: '/' });
}
$.cookie('Authorization', data.data.token, {path: '/'});
window.location.href = '/user/setup.html';
} else if (data.code == 1001) {