public/MaxKey
1
0
Fork 0
mirror of https://gitee.com/dromara/MaxKey.git synced 2026-06-10 19:26:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update WebXssRequestFilter.java

Browse Source
This commit is contained in:
shimingxy
2025-01-06 09:05:42 +08:00
parent 48bc66d735
commit e2527ab13a
1 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java
View File

@@ -20,7 +20,7 @@ package org.dromara.maxkey.web;
import java.io.IOException;
import java.util.Enumeration;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
import org.apache.commons.text.StringEscapeUtils;
import org.slf4j.Logger;
@@ -40,6 +40,11 @@ public class WebXssRequestFilter extends GenericFilterBean {
static final ConcurrentHashMap <String,String> skipUrlMap = new ConcurrentHashMap <>();
static final ConcurrentHashMap <String,String> skipParameterName = new ConcurrentHashMap <>();
/**
* 特殊字符 ' -- #
*/
public final static Pattern specialCharacterRegex = Pattern.compile(".*((\\%27)|(')|(\\')|(--)|(\\-\\-)|(\\%23)|(#)).*", Pattern.CASE_INSENSITIVE);
static {
//add or update
skipUrlMap.put("/notices/add", "/notices/add");
@@ -95,12 +100,15 @@ public class WebXssRequestFilter extends GenericFilterBean {
*
* 以下符号过滤
* '
* --
* #
*
* script
* eval
*
*/
if(!StringEscapeUtils.escapeHtml4(tempValue).equals(value)
||lowerCaseTempValue.indexOf("'")>-1
||specialCharacterRegex.matcher(value).matches()
||lowerCaseTempValue.indexOf("script")>-1
||lowerCaseTempValue.replace(" ", "").indexOf("eval(")>-1) {
isWebXss = true;