2.1.1 跨站脚本：反射型XSS

0ec124a2 · zengtianlai3 · c9c45b60 · 0ec124a2 · 0ec124a2 · 0ec124a2
Commit 0ec124a2 authored Jul 16, 2022 by zengtianlai3
4 changed files
--- a/license/src/main/java/iot/sixiang/license/controller/EncryptController.java
+++ b/license/src/main/java/iot/sixiang/license/controller/EncryptController.java
@@ -9,12 +9,8 @@ import iot.sixiang.license.model.vo.EncryptVo;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.WebDataBinder;
-import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.*;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-import java.lang.reflect.InvocationTargetException;
 /**
 * Title: EncryptController

--- a/license/src/main/java/iot/sixiang/license/controller/MaskingController.java
+++ b/license/src/main/java/iot/sixiang/license/controller/MaskingController.java
@@ -7,11 +7,10 @@ import iot.sixiang.license.model.ResResult;
 import iot.sixiang.license.model.vo.MaskingVo;
 import iot.sixiang.license.util.CommonUtil;
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.esapi.ESAPI;
 import org.springframework.util.StringUtils;
-import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.WebDataBinder;
-import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.*;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
 /**
 * Title: MaskingController
@@ -44,8 +43,8 @@ public class MaskingController {
        }
        MaskingVo vo = new MaskingVo();
-        vo.setUserName(ESAPI.encoder().encodeForHTML(CommonUtil.nameDesensitization(maskingVo.getUserName())));
+        vo.setUserName(ESAPI.encoder().encodeForDN(CommonUtil.nameDesensitization(maskingVo.getUserName())));
-        vo.setIdCard(CommonUtil.idCardEncrypt(maskingVo.getIdCard()));
+        vo.setIdCard(ESAPI.encoder().encodeForDN(CommonUtil.idCardEncrypt(maskingVo.getIdCard())));
        return ResResult.success().goRecord(vo);
    }

--- a/license/src/main/java/iot/sixiang/license/controller/OperateController.java
+++ b/license/src/main/java/iot/sixiang/license/controller/OperateController.java
@@ -104,6 +104,9 @@ public class OperateController {
        String user = UserUtils.getLoginUserId();
        int userI = Integer.valueOf(user);
        List<AlarmVo> alarmList = alarmService.getAlarmList(userI);
+        for (AlarmVo alarmVo : alarmList) {
+            alarmVo.setLevelDescribe(ESAPI.encoder().encodeForHTML(alarmVo.getLevelDescribe()));
+        }
        return ResResult.success().goRecord(alarmList);
    }

--- a/license/src/main/java/iot/sixiang/license/service/impl/AlarmServiceImpl.java
+++ b/license/src/main/java/iot/sixiang/license/service/impl/AlarmServiceImpl.java
@@ -34,7 +34,7 @@ public class AlarmServiceImpl extends ServiceImpl<AlarmMapper, Alarm> implements
        alarmVos = alarmVos.stream().sorted(Comparator.comparing(AlarmVo::getCreateTime, Comparator.reverseOrder())).collect(Collectors.toList());
        if (alarmVos != null && !alarmVos.isEmpty()) {
            for (AlarmVo alarmVo : alarmVos) {
-                alarmVo.setContent(ESAPI.encoder().encodeForHTML(alarmVo.getContent()));
+                alarmVo.setContent(ESAPI.encoder().encodeForDN(alarmVo.getContent()));
            }
        }
        return alarmVos;