From 5f5afde69e0a32ec50d04e24a4385331df4fcabf Mon Sep 17 00:00:00 2001 From: shimingxy Date: Tue, 31 Dec 2024 09:11:08 +0800 Subject: [PATCH] =?UTF-8?q?Xss=20=E5=AE=89=E5=85=A8=E9=98=B2=E6=8A=A4?= =?UTF-8?q?=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../maxkey/web/WebXssRequestFilter.java | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java b/maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java index d0c3f23a..54b701c0 100644 --- a/maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java +++ b/maxkey-starter/maxkey-starter-web/src/main/java/org/dromara/maxkey/web/WebXssRequestFilter.java @@ -85,11 +85,26 @@ public class WebXssRequestFilter extends GenericFilterBean { String value = request.getParameter(key); _logger.trace("parameter name {} , value {}" , key, value); String tempValue = value; + String lowerCaseTempValue = tempValue.toLowerCase(); + /** + * StringEscapeUtils.escapeHtml4 + * " 转义为 " + * & 转义为 & + * < 转义为 < + * > 转义为 > + * + * 以下符号过滤 + * ' + * script + * eval + * + */ if(!StringEscapeUtils.escapeHtml4(tempValue).equals(value) - ||tempValue.toLowerCase().indexOf("script")>-1 - ||tempValue.toLowerCase().replace(" ", "").indexOf("eval(")>-1) { + ||lowerCaseTempValue.indexOf("'")>-1 + ||lowerCaseTempValue.indexOf("script")>-1 + ||lowerCaseTempValue.replace(" ", "").indexOf("eval(")>-1) { isWebXss = true; - _logger.error("parameter name {} , value {}, contains dangerous content ! ",key,value); + _logger.error("dangerous ! parameter {} , value {}",key,value); break; } }