From 02fcbc870c82f3ba33daca7d75e1cd4c9f2f0af0 Mon Sep 17 00:00:00 2001
From: MaxKey <shimingxy@qq.com>
Date: Tue, 25 Jan 2022 14:35:06 +0800
Subject: [PATCH] Xss

---
 .../java/org/maxkey/web/WebXssRequestFilter.java   | 14 ++++++++++++--
 .../main/java/org/maxkey/MaxKeyMgtMvcConfig.java   |  1 +
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
index 4ed9dbd09..f7beab022 100644
--- a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
+++ b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
@@ -37,6 +37,7 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 	final static Logger _logger = LoggerFactory.getLogger(GenericFilterBean.class);	
 	
 	final static ConcurrentHashMap <String,String> skipUrlMap = new  ConcurrentHashMap <String,String>();
+	final static ConcurrentHashMap <String,String> skipParameterName = new  ConcurrentHashMap <String,String>();
 	
 	static {
 		//add or update
@@ -45,8 +46,6 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 		skipUrlMap.put("/institutions/update","/institutions/update");
 		skipUrlMap.put("/localization/update","/localization/update");
 		skipUrlMap.put("/apps/updateExtendAttr","/apps/updateExtendAttr");
-		skipUrlMap.put("/synchronizers/add","/synchronizers/add");
-		skipUrlMap.put("/synchronizers/update","/synchronizers/update");
 		
 		//authz
 		skipUrlMap.put("/authz/cas", "/authz/cas");
@@ -56,6 +55,15 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 		//TENCENT_IOA
 		skipUrlMap.put("/oauth2/authorize", "/oauth2/authorize");
 		
+		skipParameterName.put("relatedPassword", "relatedPassword");
+		skipParameterName.put("oldPassword", "oldPassword");
+		skipParameterName.put("password", "password");
+		skipParameterName.put("confirmpassword", "confirmpassword");
+		skipParameterName.put("credentials", "credentials");
+		skipParameterName.put("clientSecret", "clientSecret");
+		skipParameterName.put("appSecret", "appSecret");
+		skipParameterName.put("sharedSecret", "sharedSecret");
+		skipParameterName.put("secret", "secret");
 	}
 	
 	@Override
@@ -76,6 +84,8 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 	        Enumeration<String> parameterNames = request.getParameterNames();
 	        while (parameterNames.hasMoreElements()) {
 	          String key = (String) parameterNames.nextElement();
+	          if(skipParameterName.containsKey(key)) {continue;}
+	          
 	          String value = request.getParameter(key);
 	          _logger.trace("parameter name "+key +" , value " + value);
 	          String tempValue = value;
diff --git a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/MaxKeyMgtMvcConfig.java b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/MaxKeyMgtMvcConfig.java
index 93476dfd4..436de43a3 100644
--- a/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/MaxKeyMgtMvcConfig.java
+++ b/maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/MaxKeyMgtMvcConfig.java
@@ -134,6 +134,7 @@ public class MaxKeyMgtMvcConfig implements WebMvcConfigurer {
                 .addPathPatterns("/ldapcontext/**")
                 .addPathPatterns("/emailsenders/**")
                 .addPathPatterns("/smsprovider/**")
+                .addPathPatterns("/synchronizers/**")
                 
                 ;