From def6247e9f4c59956b7bc59665408b6b1bfb7e5a Mon Sep 17 00:00:00 2001
From: paulGao <paulgao0831@gmail.com>
Date: Mon, 17 Jan 2022 17:42:42 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E7=AE=A1=E7=90=86=E7=AB=AF?=
 =?UTF-8?q?=E7=99=BB=E5=BD=95=E5=92=8Cxss?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../filter/XssHttpServletRequestWrapper.java  | 52 +++----------------
 .../passport/AdminUserManagerController.java  |  2 +-
 2 files changed, 7 insertions(+), 47 deletions(-)

diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
index ad694aea..74dff93a 100644
--- a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
@@ -7,7 +7,6 @@ import cn.hutool.json.JSONUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.html.HtmlPolicyBuilder;
 import org.owasp.html.PolicyFactory;
-import org.owasp.html.Sanitizers;
 
 import javax.servlet.ReadListener;
 import javax.servlet.ServletInputStream;
@@ -32,33 +31,6 @@ import java.util.Map;
 @Slf4j
 public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
 
-
-    /**
-     * xss过滤参数
-     *
-     * @todo 这里的参数应该更智能些，例如iv，前端的参数包含这两个字母就会放过，这是有问题的
-     */
-    private static final String[] IGNORE_FIELD = {
-            "logo",
-            "url",
-            "photo",
-            "intro",
-            "content",
-            "name",
-            "image",
-            "encrypted",
-            "iv",
-            "mail",
-            "sell",
-            "id",
-            "price",
-            "prop",
-            "reply",
-            "profile",
-            "privateKey",
-            "wechatpay",
-    };
-
     //允许的标签
     private static final String[] allowedTags = {"h1", "h2", "h3", "h4", "h5", "h6",
             "span", "strong",
@@ -74,8 +46,10 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
             "footer", "header", "hgroup", "section", "summary"};
 
     //带有超链接的标签
-    private static final String[] linkTags = {"img", "video", "source", "a", "iframe"};
+    private static final String[] linkTags = {"img", "video", "source", "a", "iframe", "p"};
 
+    //带有超链接的标签
+    private static final String[] allowAttributes = {"style", "src", "href", "target", "width", "height"};
 
     public XssHttpServletRequestWrapper(HttpServletRequest request) {
         super(request);
@@ -284,19 +258,11 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
                     .allowElements(allowedTags)
                     //内容标签转化为div
                     .allowElements((elementName, attributes) -> "div", needTransformTags)
-                    .allowAttributes("src", "href", "target", "width", "height").onElements(linkTags)
-                    //校验链接中的是否为http
-//                    .allowUrlProtocols("https")
+                    .allowAttributes(allowAttributes).onElements(linkTags)
+                    .allowStyling()
                     .toFactory();
             // basic prepackaged policies for links, tables, integers, images, styles, blocks
-            value = Sanitizers.FORMATTING
-                    .and(Sanitizers.STYLES)
-                    .and(Sanitizers.IMAGES)
-                    .and(Sanitizers.LINKS)
-                    .and(Sanitizers.BLOCKS)
-                    .and(Sanitizers.TABLES)
-                    .and(policy)
-                    .sanitize(value);
+            value = policy.sanitize(value);
         }
         return HtmlUtil.unescape(value);
     }
@@ -309,12 +275,6 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
      * @return 参数值
      */
     private String filterXss(String name, String value) {
-//        if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), IGNORE_FIELD)) {
-//            // 忽略的处理，（过滤敏感字符）
-//            return value;
-//        } else {
-//            return cleanXSS(value);
-//        }
         return cleanXSS(value);
     }
 
diff --git a/manager-api/src/main/java/cn/lili/controller/passport/AdminUserManagerController.java b/manager-api/src/main/java/cn/lili/controller/passport/AdminUserManagerController.java
index ce61b470..80adbfff 100644
--- a/manager-api/src/main/java/cn/lili/controller/passport/AdminUserManagerController.java
+++ b/manager-api/src/main/java/cn/lili/controller/passport/AdminUserManagerController.java
@@ -62,7 +62,7 @@ public class AdminUserManagerController {
     @Autowired
     private VerificationService verificationService;
 
-    @GetMapping(value = "/login")
+    @PostMapping(value = "/login")
     @ApiOperation(value = "登录管理员")
     public ResultMessage<Token> login(@NotNull(message = "用户名不能为空") @RequestParam String username,
                                       @NotNull(message = "密码不能为空") @RequestParam String password,