2.1.1 跨站脚本：反射型XSS

license/src/main/java/iot/sixiang/license/controller/EncryptController.java

@@ -9,12 +9,8 @@ import iot.sixiang.license.model.vo.EncryptVo;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-
-import java.lang.reflect.InvocationTargetException;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.*;
 
 /**
  * Title: EncryptController

license/src/main/java/iot/sixiang/license/controller/MaskingController.java

@@ -7,11 +7,10 @@ import iot.sixiang.license.model.ResResult;
 import iot.sixiang.license.model.vo.MaskingVo;
 import iot.sixiang.license.util.CommonUtil;
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.esapi.ESAPI;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.*;
 
 /**
  * Title: MaskingController
@@ -44,8 +43,8 @@ public class MaskingController {
         }
 
         MaskingVo vo = new MaskingVo();
-        vo.setUserName(ESAPI.encoder().encodeForHTML(CommonUtil.nameDesensitization(maskingVo.getUserName())));
-        vo.setIdCard(CommonUtil.idCardEncrypt(maskingVo.getIdCard()));
+        vo.setUserName(ESAPI.encoder().encodeForDN(CommonUtil.nameDesensitization(maskingVo.getUserName())));
+        vo.setIdCard(ESAPI.encoder().encodeForDN(CommonUtil.idCardEncrypt(maskingVo.getIdCard())));
         return ResResult.success().goRecord(vo);
     }
 

license/src/main/java/iot/sixiang/license/controller/OperateController.java

@@ -104,6 +104,9 @@ public class OperateController {
         String user = UserUtils.getLoginUserId();
         int userI = Integer.valueOf(user);
         List<AlarmVo> alarmList = alarmService.getAlarmList(userI);
+        for (AlarmVo alarmVo : alarmList) {
+            alarmVo.setLevelDescribe(ESAPI.encoder().encodeForHTML(alarmVo.getLevelDescribe()));
+        }
         return ResResult.success().goRecord(alarmList);
     }
 

license/src/main/java/iot/sixiang/license/service/impl/AlarmServiceImpl.java

@@ -34,7 +34,7 @@ public class AlarmServiceImpl extends ServiceImpl<AlarmMapper, Alarm> implements
         alarmVos = alarmVos.stream().sorted(Comparator.comparing(AlarmVo::getCreateTime, Comparator.reverseOrder())).collect(Collectors.toList());
         if (alarmVos != null && !alarmVos.isEmpty()) {
             for (AlarmVo alarmVo : alarmVos) {
-                alarmVo.setContent(ESAPI.encoder().encodeForHTML(alarmVo.getContent()));
+                alarmVo.setContent(ESAPI.encoder().encodeForDN(alarmVo.getContent()));
             }
         }
         return alarmVos;