From e2527ab13a0ece0bb29d9a4c195d0759ed9185f5 Mon Sep 17 00:00:00 2001 From: shimingxy Date: Mon, 6 Jan 2025 09:05:42 +0800 Subject: [PATCH] Update WebXssRequestFilter.java --- .../org/dromara/maxkey/web/WebXssRequestFilter.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java b/maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java index 54b701c0b..08fd0c6ca 100644 --- a/maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java +++ b/maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java @@ -20,7 +20,7 @@ package org.dromara.maxkey.web; import java.io.IOException; import java.util.Enumeration; import java.util.concurrent.ConcurrentHashMap; - +import java.util.regex.Pattern; import org.apache.commons.text.StringEscapeUtils; import org.slf4j.Logger; @@ -40,6 +40,11 @@ public class WebXssRequestFilter extends GenericFilterBean { static final ConcurrentHashMap skipUrlMap = new ConcurrentHashMap <>(); static final ConcurrentHashMap skipParameterName = new ConcurrentHashMap <>(); + /** + * 特殊字符 ' -- # + */ + public final static Pattern specialCharacterRegex = Pattern.compile(".*((\\%27)|(')|(\\')|(--)|(\\-\\-)|(\\%23)|(#)).*", Pattern.CASE_INSENSITIVE); + static { //add or update skipUrlMap.put("/notices/add", "/notices/add"); @@ -95,12 +100,15 @@ public class WebXssRequestFilter extends GenericFilterBean { * * 以下符号过滤 * ' + * -- + * # + * * script * eval * */ if(!StringEscapeUtils.escapeHtml4(tempValue).equals(value) - ||lowerCaseTempValue.indexOf("'")>-1 + ||specialCharacterRegex.matcher(value).matches() ||lowerCaseTempValue.indexOf("script")>-1 ||lowerCaseTempValue.replace(" ", "").indexOf("eval(")>-1) { isWebXss = true;