From 1a993a7899c2128e78975754502fba0993a8079e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=96=AF=E7=8B=82=E7=9A=84=E7=8B=AE=E5=AD=90Li?= <15040126243@163.com> Date: Tue, 12 Nov 2024 18:17:47 +0800 Subject: [PATCH] =?UTF-8?q?update=20=E4=BC=98=E5=8C=96=20xss=E5=8C=85?= =?UTF-8?q?=E8=A3=85=E5=99=A8=20Parameter=20=E5=A4=84=E7=90=86=20=E5=85=BC?= =?UTF-8?q?=E5=AE=B9=E6=9F=90=E4=BA=9B=E5=AE=B9=E5=99=A8=E4=B8=8D=E5=85=81?= =?UTF-8?q?=E8=AE=B8=E6=94=B9=E5=8F=82=E6=95=B0=E7=9A=84=E6=83=85=E5=86=B5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../filter/XssHttpServletRequestWrapper.java | 47 +++++++++++-------- 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java b/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java index 190f94eab..914e54995 100644 --- a/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java +++ b/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java @@ -1,19 +1,22 @@ package org.dromara.common.web.filter; import cn.hutool.core.io.IoUtil; +import cn.hutool.core.map.MapUtil; +import cn.hutool.core.util.ArrayUtil; import cn.hutool.core.util.StrUtil; import cn.hutool.http.HtmlUtil; -import org.dromara.common.core.utils.StringUtils; -import org.springframework.http.HttpHeaders; -import org.springframework.http.MediaType; - import jakarta.servlet.ReadListener; import jakarta.servlet.ServletInputStream; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletRequestWrapper; +import org.dromara.common.core.utils.StringUtils; +import org.springframework.http.HttpHeaders; +import org.springframework.http.MediaType; + import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; +import java.util.HashMap; import java.util.Map; /** @@ -32,16 +35,22 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { @Override public String getParameter(String name) { String value = super.getParameter(name); - if (value != null) { - return HtmlUtil.cleanHtmlTag(value).trim(); + if (value == null) { + return null; } - return value; + return HtmlUtil.cleanHtmlTag(value).trim(); } @Override public Map getParameterMap() { Map valueMap = super.getParameterMap(); - for (Map.Entry entry : valueMap.entrySet()) { + if (MapUtil.isEmpty(valueMap)) { + return valueMap; + } + // 避免某些容器不允许改参数的情况 copy一份重新改 + Map map = new HashMap<>(valueMap.size()); + map.putAll(valueMap); + for (Map.Entry entry : map.entrySet()) { String[] values = entry.getValue(); if (values != null) { int length = values.length; @@ -50,25 +59,25 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { // 防xss攻击和过滤前后空格 escapseValues[i] = HtmlUtil.cleanHtmlTag(values[i]).trim(); } - valueMap.put(entry.getKey(), escapseValues); + map.put(entry.getKey(), escapseValues); } } - return valueMap; + return map; } @Override public String[] getParameterValues(String name) { String[] values = super.getParameterValues(name); - if (values != null) { - int length = values.length; - String[] escapseValues = new String[length]; - for (int i = 0; i < length; i++) { - // 防xss攻击和过滤前后空格 - escapseValues[i] = HtmlUtil.cleanHtmlTag(values[i]).trim(); - } - return escapseValues; + if (ArrayUtil.isEmpty(values)) { + return values; } - return values; + int length = values.length; + String[] escapseValues = new String[length]; + for (int i = 0; i < length; i++) { + // 防xss攻击和过滤前后空格 + escapseValues[i] = HtmlUtil.cleanHtmlTag(values[i]).trim(); + } + return escapseValues; } @Override