Skip to content

I
ioc_sixiang_license
Commit cb3a57f9 authored by zengtianlai3's avatar zengtianlai3
Browse files
Options

前端所有请求都被拦截修改

parent 79d0026d
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 3 deletions
license/src/main/java/iot/sixiang/license/xss/XssHttpServletRequestWrapper.java
View file @ cb3a57f9
...@@ -6,6 +6,7 @@ import iot.sixiang.license.handler.IotLicenseException; ...@@ -6,6 +6,7 @@ import iot.sixiang.license.handler.IotLicenseException;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.fileupload.servlet.ServletFileUpload; import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.owasp.esapi.ESAPI; import org.owasp.esapi.ESAPI;
import org.springframework.util.StringUtils;
import org.springframework.web.multipart.commons.CommonsMultipartResolver; import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import javax.servlet.ReadListener; import javax.servlet.ReadListener;
...@@ -183,7 +184,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { ...@@ -183,7 +184,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private String cleanXSS(String value) { private String cleanXSS(String value) {
if (value != null) { if (value != null && value.length() != 0) {
// 推荐使用ESAPI库来避免脚本攻击 // 推荐使用ESAPI库来避免脚本攻击
value = ESAPI.encoder().canonicalize(value); value = ESAPI.encoder().canonicalize(value);
// 避免空字符串 // 避免空字符串
...@@ -230,7 +231,6 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { ...@@ -230,7 +231,6 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
// 避免 onXX= 表达式 // 避免 onXX= 表达式
scriptPattern = Pattern.compile("on.*(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL); scriptPattern = Pattern.compile("on.*(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll(""); value = scriptPattern.matcher(value).replaceAll("");
if (value.length() == 0) { if (value.length() == 0) {
throw new IotLicenseException(ResultCode.VALIDATE_FAILED.getCode(), "参数含有非法攻击字符,已禁止继续访问!!"); throw new IotLicenseException(ResultCode.VALIDATE_FAILED.getCode(), "参数含有非法攻击字符,已禁止继续访问!!");
} }
......
license/src/main/java/iot/sixiang/license/xss/XssUtil.java
View file @ cb3a57f9
...@@ -2,6 +2,7 @@ package iot.sixiang.license.xss; ...@@ -2,6 +2,7 @@ package iot.sixiang.license.xss;
import iot.sixiang.license.consts.ResultCode; import iot.sixiang.license.consts.ResultCode;
import iot.sixiang.license.handler.IotLicenseException; import iot.sixiang.license.handler.IotLicenseException;
import lombok.extern.slf4j.Slf4j;
import org.owasp.esapi.ESAPI; import org.owasp.esapi.ESAPI;
import java.util.regex.Pattern; import java.util.regex.Pattern;
...@@ -15,9 +16,10 @@ import static java.util.regex.Pattern.*; ...@@ -15,9 +16,10 @@ import static java.util.regex.Pattern.*;
* @author tianlai3 * @author tianlai3
* @date 2022-07-17 15:27:52 * @date 2022-07-17 15:27:52
*/ */
@Slf4j
public class XssUtil { public class XssUtil {
public static String checkXSS(String value) { public static String checkXSS(String value) {
if (value != null) { if (value != null && value.length() != 0) {
// 推荐使用ESAPI库来避免脚本攻击 // 推荐使用ESAPI库来避免脚本攻击
value = ESAPI.encoder().canonicalize(value); value = ESAPI.encoder().canonicalize(value);
// 避免空字符串 // 避免空字符串
...@@ -65,6 +67,7 @@ public class XssUtil { ...@@ -65,6 +67,7 @@ public class XssUtil {
scriptPattern = Pattern.compile("on.*(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL); scriptPattern = Pattern.compile("on.*(.*?)=", CASE_INSENSITIVE | MULTILINE | DOTALL);
value = scriptPattern.matcher(value).replaceAll(""); value = scriptPattern.matcher(value).replaceAll("");
if (value.length() == 0) { if (value.length() == 0) {
throw new IotLicenseException(ResultCode.VALIDATE_FAILED.getCode(), "参数含有非法攻击字符,已禁止继续访问!!"); throw new IotLicenseException(ResultCode.VALIDATE_FAILED.getCode(), "参数含有非法攻击字符,已禁止继续访问!!");
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment