admin/MaxKey
1
0
Fork 0
mirror of https://gitee.com/dromara/MaxKey.git synced 2025-12-08 18:08:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

Xss 安全防护优化

Browse Source
This commit is contained in:
shimingxy 2024-12-31 09:11:08 +08:00
parent 478b3c0003
commit 5f5afde69e
1 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java
View File

@ -85,11 +85,26 @@ public class WebXssRequestFilter extends GenericFilterBean {
String value = request.getParameter(key); String value = request.getParameter(key);
_logger.trace("parameter name {} , value {}" , key, value); _logger.trace("parameter name {} , value {}" , key, value);
String tempValue = value; String tempValue = value;
String lowerCaseTempValue = tempValue.toLowerCase();
/**
* StringEscapeUtils.escapeHtml4
* " 转义为 "
* & 转义为 &
* < 转义为 &lt;
* > 转义为 &gt;
*
* 以下符号过滤
* '
* script
* eval
*
*/
if(!StringEscapeUtils.escapeHtml4(tempValue).equals(value) if(!StringEscapeUtils.escapeHtml4(tempValue).equals(value)
||tempValue.toLowerCase().indexOf("script")>-1 ||lowerCaseTempValue.indexOf("'")>-1
||tempValue.toLowerCase().replace(" ", "").indexOf("eval(")>-1) { ||lowerCaseTempValue.indexOf("script")>-1
||lowerCaseTempValue.replace(" ", "").indexOf("eval(")>-1) {
isWebXss = true; isWebXss = true;
_logger.error("parameter name {} , value {}, contains dangerous content ! ",key,value); _logger.error("dangerous ! parameter {} , value {}",key,value);
break; break;
} }
} }