caojiahao/dev_caojiahao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

!28 fix xss filter parse array error

Browse Source 
Merge pull request !28 from OceansDeep/feature/pg
This commit is contained in:
OceansDeep 2021-09-14 10:27:42 +00:00 committed by Gitee
commit b0dc4db48a
1 changed files with 45 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
View File

@ -1,6 +1,7 @@
package cn.lili.common.security.filter; package cn.lili.common.security.filter;
import cn.hutool.core.text.CharSequenceUtil;
import cn.hutool.http.HtmlUtil; import cn.hutool.http.HtmlUtil;
import cn.hutool.json.JSONUtil; import cn.hutool.json.JSONUtil;
@ -120,7 +121,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
//获取输入流 //获取输入流
ServletInputStream in = super.getInputStream(); ServletInputStream in = super.getInputStream();
//用于存储输入流 //用于存储输入流
StringBuffer body = new StringBuffer(); StringBuilder body = new StringBuilder();
InputStreamReader reader = new InputStreamReader(in, StandardCharsets.UTF_8); InputStreamReader reader = new InputStreamReader(in, StandardCharsets.UTF_8);
BufferedReader bufferedReader = new BufferedReader(reader); BufferedReader bufferedReader = new BufferedReader(reader);
//按行读取输入流 //按行读取输入流
@ -136,24 +137,52 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
reader.close(); reader.close();
in.close(); in.close();
//将body转换为map if (CharSequenceUtil.isNotEmpty(body) && Boolean.TRUE.equals(JSONUtil.isJsonObj(body.toString()))) {
Map<String, Object> map = JSONUtil.parseObj(body.toString()); //将body转换为map
//创建空的map用于存储结果 Map<String, Object> map = JSONUtil.parseObj(body.toString());
Map<String, Object> resultMap = new HashMap<>(map.size()); //创建空的map用于存储结果
//遍历数组 Map<String, Object> resultMap = new HashMap<>(map.size());
for (Map.Entry<String, Object> entry : map.entrySet()) { //遍历数组
//如果map.get(key)获取到的是字符串就需要进行转义如果不是直接存储resultMap for (Map.Entry<String, Object> entry : map.entrySet()) {
if (map.get(entry.getKey()) instanceof String) { //如果map.get(key)获取到的是字符串就需要进行转义如果不是直接存储resultMap
resultMap.put(entry.getKey(), cleanXSS(entry.getValue().toString())); if (map.get(entry.getKey()) instanceof String) {
} else { resultMap.put(entry.getKey(), cleanXSS(entry.getValue().toString()));
resultMap.put(entry.getKey(), entry.getValue()); } else {
resultMap.put(entry.getKey(), entry.getValue());
}
} }
//将resultMap转换为json字符串
String resultStr = JSONUtil.toJsonStr(resultMap);
//将json字符串转换为字节
final ByteArrayInputStream resultBIS = new ByteArrayInputStream(resultStr.getBytes());
//实现接口
return new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() {
return resultBIS.read();
}
};
} }
//将resultMap转换为json字符串
String resultStr = JSONUtil.toJsonStr(resultMap);
//将json字符串转换为字节 //将json字符串转换为字节
final ByteArrayInputStream bis = new ByteArrayInputStream(resultStr.getBytes()); final ByteArrayInputStream bis = new ByteArrayInputStream(body.toString().getBytes());
//实现接口 //实现接口
return new ServletInputStream() { return new ServletInputStream() {
@ -177,6 +206,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
return bis.read(); return bis.read();
} }
}; };
} }
private String cleanXSS(String value) { private String cleanXSS(String value) {