优化XSS处理

license/src/main/java/iot/sixiang/license/handler/GlobalExceptionHandler.java

@@ -17,7 +17,7 @@ public class GlobalExceptionHandler {
     @ExceptionHandler(Exception.class)
     @ResponseBody    //为了返回数据
     public BaseResult error(Exception e){
-        log.error("出现自定义异常,{}" + e.getMessage());
+        log.error("出现自定义异常", e);
         return BaseResult.serverException();
     }
 

license/src/main/java/iot/sixiang/license/xss/XssHttpServletRequestWrapper.java

 package iot.sixiang.license.xss;
 
+import com.alibaba.fastjson.JSONArray;
 import com.alibaba.fastjson.JSONObject;
 import iot.sixiang.license.consts.ResultCode;
 import iot.sixiang.license.handler.IotLicenseException;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.fileupload.servlet.ServletFileUpload;
 import org.owasp.esapi.ESAPI;
-import org.springframework.util.StringUtils;
 import org.springframework.web.multipart.commons.CommonsMultipartResolver;
 
 import javax.servlet.ReadListener;
@@ -15,6 +15,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 import java.io.*;
 import java.nio.charset.StandardCharsets;
+import java.util.List;
 import java.util.regex.Pattern;
 
 import static java.util.regex.Pattern.*;
@@ -41,6 +42,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
     private static String badStrReg =
             "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
 
+
     public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) throws IOException {
 
         super(servletRequest);
@@ -65,7 +67,8 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
         } catch (IOException e) {
             throw e;
         }
-        return sb.toString();
+        String res = sb.toString();
+        return res;
     }
 
     /**
@@ -79,10 +82,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
         // 非文件上传进行过滤
         if (!fileUpload) {
             // 获取body中的请求参数
-            JSONObject json = JSONObject.parseObject(new String(body, StandardCharsets.UTF_8));
-            // 校验并过滤xss攻击和sql注入
-            for (String k : json.keySet()) {
-                cleanSQLInject(cleanXSS(json.getString(k)));
+            String requestString = new String(body, StandardCharsets.UTF_8);
+            if(requestString.startsWith("[")) {
+                List<String> strings = JSONArray.parseArray(requestString, String.class);
+                for (String string : strings) {
+                    checkSqlAndXss(string);
+                }
+            } else {
+                checkSqlAndXss(new String(body, StandardCharsets.UTF_8));
             }
         }
         // 将请求体参数流转 -- 流读取一次就会消失,所以我们事先读取之后就存在byte数组里边方便流转
@@ -111,6 +118,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
         };
     }
 
+    public void checkSqlAndXss(String str) {
+        JSONObject json = JSONObject.parseObject(str);
+        // 校验并过滤xss攻击和sql注入
+        for (String k : json.keySet()) {
+            cleanSQLInject(cleanXSS(json.getString(k)));
+        }
+    }
+
     /**
      * 过滤sql注入 -- 需要增加通配，过滤大小写组合
      *