From 11dc060eadf0fcc632ee13335d11c5da0b4e55e8 Mon Sep 17 00:00:00 2001 From: cheney <1251790704@qq.com> Date: Tue, 4 Jun 2024 16:24:08 +0800 Subject: [PATCH] =?UTF-8?q?=E4=B8=AD=E6=96=87=E8=A7=A3=E7=A0=81=E9=97=AE?= =?UTF-8?q?=E9=A2=98=E5=A4=84=E7=90=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../iasf/common/config/WebMvcConfigurer.java | 2 +- .../filter/XssHttpServletRequestWrapper.java | 49 ++++++++++++++++--- 2 files changed, 42 insertions(+), 9 deletions(-) diff --git a/src/main/java/com/huoran/iasf/common/config/WebMvcConfigurer.java b/src/main/java/com/huoran/iasf/common/config/WebMvcConfigurer.java index dc42596..4c5a9e0 100644 --- a/src/main/java/com/huoran/iasf/common/config/WebMvcConfigurer.java +++ b/src/main/java/com/huoran/iasf/common/config/WebMvcConfigurer.java @@ -50,7 +50,7 @@ public class WebMvcConfigurer extends WebMvcConfigurationSupport { // corsConfiguration.addAllowedOrigin("*"); // 允许任何头 corsConfiguration.addAllowedOrigin("https://new.iasf.ac.cn"); //允许信任域名 corsConfiguration.addAllowedOrigin("https://www.iasf.ac.cn"); //允许信任域名 -// corsConfiguration.addAllowedOrigin("http://192.168.31.125:8095"); //允许信任域名 + corsConfiguration.addAllowedOrigin("http://192.168.31.125:8095"); //允许信任域名 corsConfiguration.addAllowedOrigin("http://192.168.31.125:8088"); //允许信任域名 corsConfiguration.addAllowedOrigin("http://10.10.11.7"); //允许信任域名 corsConfiguration.addAllowedMethod("*"); // 允许任何方法(post、get等) diff --git a/src/main/java/com/huoran/iasf/common/filter/XssHttpServletRequestWrapper.java b/src/main/java/com/huoran/iasf/common/filter/XssHttpServletRequestWrapper.java index f40a4bb..3cfbd7d 100644 --- a/src/main/java/com/huoran/iasf/common/filter/XssHttpServletRequestWrapper.java +++ b/src/main/java/com/huoran/iasf/common/filter/XssHttpServletRequestWrapper.java @@ -5,6 +5,9 @@ import com.huoran.iasf.common.exception.BusinessException; import com.huoran.iasf.common.exception.code.BaseResponseCode; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; +import org.jsoup.safety.Safelist; import javax.servlet.ReadListener; import javax.servlet.ServletInputStream; @@ -175,12 +178,35 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { }; } + + public String cleanXSS(String src) { + if (StringUtils.isBlank(src)) { + return src; + } + + // 创建一个允许的HTML标签和属性的Safelist + Safelist safelist = Safelist.relaxed() // 允许大多数基本的HTML标签和属性 + .addTags("img") // 添加额外的标签,如img(记得添加允许的属性,如src和alt) + .addAttributes("*", "class") // 允许所有标签使用"class"属性 + .addAttributes("img", "src", "alt") // 允许img标签的src和alt属性 + .addProtocols("img", "src", "http", "https") // 只允许http和https协议的src + ; // 移除协议相对URL,避免安全问题 + + // 使用JSoup进行清理 + Document document = Jsoup.parseBodyFragment(src, ""); // 解析HTML片段 + document.outputSettings(new Document.OutputSettings().prettyPrint(false)); // 禁止美化输出,保持原始结构 + String html = document.html(); + String clean = Jsoup.clean(html, "", safelist);// 使用Safelist进行清理 + + return clean; // 返回清理后的HTML字符串 + } + /** * 清除xss * @param src 单个参数 * @return */ - public String cleanXSS(String src) { + /*public String cleanXSS(String src) { if(StringUtils.isBlank(src)){ return src; } @@ -202,7 +228,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { } return src; - } + }*/ /** * 过滤sql注入 -- 需要增加通配,过滤大小写组合 @@ -213,12 +239,19 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { if(StringUtils.isBlank(src)){ return src; } + String cleanedText = Jsoup.clean(src, Safelist.basic()); + + String SQL_KEYWORD_PATTERN = + "(?i)(?:(?!<[^>]*?>))((select|update|insert|delete|drop|create|alter|exec|union|table|database)[^a-zA-Z0-9])"; + + // 过滤SQL关键字 + cleanedText = cleanedText.replaceAll(SQL_KEYWORD_PATTERN, ""); // 非法sql注入正则 - Pattern sqlPattern = Pattern.compile(badStrReg, Pattern.CASE_INSENSITIVE); - if (sqlPattern.matcher(src.toLowerCase()).find()) { - log.error("sql注入检查:输入信息存在SQL攻击!"); - throw new BusinessException(BaseResponseCode.SQL_FILTER); - } - return src; +// Pattern sqlPattern = Pattern.compile(badStrReg, Pattern.CASE_INSENSITIVE); +// if (sqlPattern.matcher(src.toLowerCase()).find()) { +// log.error("sql注入检查:输入信息存在SQL攻击!"); +// throw new BusinessException(BaseResponseCode.SQL_FILTER); +// } + return cleanedText; } } \ No newline at end of file