201206030/novel
1
0
Fork 0
mirror of https://github.com/201206030/novel.git synced 2025-04-27 07:30:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: XSS 替换

Browse Source
This commit is contained in:
xiongxiaoyang 2022-05-19 10:15:18 +08:00
parent 3a0a8d6b52
commit 85f6ad957b
3 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/java/io/github/xxyopen/novel/core/auth/AuthStrategy.java
View File

@ -22,7 +22,7 @@ public interface AuthStrategy {
* 如果后面需要扩展到对每一个URI都进行权限控制那么此方法可以加一个参数来接收用户请求的URI
*
* @param token 登录 token
* @throws BusinessException 认证失败则抛出务异常
* @throws BusinessException 认证失败则抛出务异常
*/
void auth(String token) throws BusinessException;

1
src/main/java/io/github/xxyopen/novel/core/config/CorsConfig.java
View File

@ -40,4 +40,5 @@ public class CorsConfig {
configurationSource.registerCorsConfiguration("/**",config);
return new CorsFilter(configurationSource);
}
}

13
src/main/java/io/github/xxyopen/novel/core/wrapper/XssHttpServletRequestWrapper.java
View File

@ -14,12 +14,15 @@ import java.util.Map;
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private final Map<String,String> replaceRule = new HashMap<>();
private static final Map<String,String> REPLACE_RULE = new HashMap<>();
static {
REPLACE_RULE.put("<", "&lt;");
REPLACE_RULE.put(">", "&gt;");
}
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
replaceRule.put("<", "&lt;");
replaceRule.put(">", "&gt;");
}
@Override
@ -29,9 +32,9 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
int length = values.length;
String[] escapeValues = new String[length];
for (int i = 0; i < length; i++) {
String raw = values[i];
escapeValues[i] = values[i];
int index = i;
replaceRule.forEach((k, v)-> escapeValues[index] = raw.replaceAll(k, v));
REPLACE_RULE.forEach((k, v)-> escapeValues[index] = escapeValues[index].replaceAll(k, v));
}
return escapeValues;
}