|
|
|
@ -5,6 +5,9 @@ import com.huoran.iasf.common.exception.BusinessException; |
|
|
|
import com.huoran.iasf.common.exception.code.BaseResponseCode; |
|
|
|
import com.huoran.iasf.common.exception.code.BaseResponseCode; |
|
|
|
import lombok.extern.slf4j.Slf4j; |
|
|
|
import lombok.extern.slf4j.Slf4j; |
|
|
|
import org.apache.commons.lang3.StringUtils; |
|
|
|
import org.apache.commons.lang3.StringUtils; |
|
|
|
|
|
|
|
import org.jsoup.Jsoup; |
|
|
|
|
|
|
|
import org.jsoup.nodes.Document; |
|
|
|
|
|
|
|
import org.jsoup.safety.Safelist; |
|
|
|
|
|
|
|
|
|
|
|
import javax.servlet.ReadListener; |
|
|
|
import javax.servlet.ReadListener; |
|
|
|
import javax.servlet.ServletInputStream; |
|
|
|
import javax.servlet.ServletInputStream; |
|
|
|
@ -175,12 +178,35 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { |
|
|
|
}; |
|
|
|
}; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public String cleanXSS(String src) { |
|
|
|
|
|
|
|
if (StringUtils.isBlank(src)) { |
|
|
|
|
|
|
|
return src; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// 创建一个允许的HTML标签和属性的Safelist
|
|
|
|
|
|
|
|
Safelist safelist = Safelist.relaxed() // 允许大多数基本的HTML标签和属性
|
|
|
|
|
|
|
|
.addTags("img") // 添加额外的标签,如img(记得添加允许的属性,如src和alt)
|
|
|
|
|
|
|
|
.addAttributes("*", "class") // 允许所有标签使用"class"属性
|
|
|
|
|
|
|
|
.addAttributes("img", "src", "alt") // 允许img标签的src和alt属性
|
|
|
|
|
|
|
|
.addProtocols("img", "src", "http", "https") // 只允许http和https协议的src
|
|
|
|
|
|
|
|
; // 移除协议相对URL,避免安全问题
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// 使用JSoup进行清理
|
|
|
|
|
|
|
|
Document document = Jsoup.parseBodyFragment(src, ""); // 解析HTML片段
|
|
|
|
|
|
|
|
document.outputSettings(new Document.OutputSettings().prettyPrint(false)); // 禁止美化输出,保持原始结构
|
|
|
|
|
|
|
|
String html = document.html(); |
|
|
|
|
|
|
|
String clean = Jsoup.clean(html, "", safelist);// 使用Safelist进行清理
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return clean; // 返回清理后的HTML字符串
|
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
/** |
|
|
|
/** |
|
|
|
* 清除xss |
|
|
|
* 清除xss |
|
|
|
* @param src 单个参数 |
|
|
|
* @param src 单个参数 |
|
|
|
* @return |
|
|
|
* @return |
|
|
|
*/ |
|
|
|
*/ |
|
|
|
public String cleanXSS(String src) { |
|
|
|
/*public String cleanXSS(String src) { |
|
|
|
if(StringUtils.isBlank(src)){ |
|
|
|
if(StringUtils.isBlank(src)){ |
|
|
|
return src; |
|
|
|
return src; |
|
|
|
} |
|
|
|
} |
|
|
|
@ -202,7 +228,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
return src; |
|
|
|
return src; |
|
|
|
} |
|
|
|
}*/ |
|
|
|
|
|
|
|
|
|
|
|
/** |
|
|
|
/** |
|
|
|
* 过滤sql注入 -- 需要增加通配,过滤大小写组合 |
|
|
|
* 过滤sql注入 -- 需要增加通配,过滤大小写组合 |
|
|
|
@ -213,12 +239,19 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { |
|
|
|
if(StringUtils.isBlank(src)){ |
|
|
|
if(StringUtils.isBlank(src)){ |
|
|
|
return src; |
|
|
|
return src; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
String cleanedText = Jsoup.clean(src, Safelist.basic()); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
String SQL_KEYWORD_PATTERN = |
|
|
|
|
|
|
|
"(?i)(?:(?!<[^>]*?>))((select|update|insert|delete|drop|create|alter|exec|union|table|database)[^a-zA-Z0-9])"; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// 过滤SQL关键字
|
|
|
|
|
|
|
|
cleanedText = cleanedText.replaceAll(SQL_KEYWORD_PATTERN, ""); |
|
|
|
// 非法sql注入正则
|
|
|
|
// 非法sql注入正则
|
|
|
|
Pattern sqlPattern = Pattern.compile(badStrReg, Pattern.CASE_INSENSITIVE); |
|
|
|
// Pattern sqlPattern = Pattern.compile(badStrReg, Pattern.CASE_INSENSITIVE);
|
|
|
|
if (sqlPattern.matcher(src.toLowerCase()).find()) { |
|
|
|
// if (sqlPattern.matcher(src.toLowerCase()).find()) {
|
|
|
|
log.error("sql注入检查:输入信息存在SQL攻击!"); |
|
|
|
// log.error("sql注入检查:输入信息存在SQL攻击!");
|
|
|
|
throw new BusinessException(BaseResponseCode.SQL_FILTER); |
|
|
|
// throw new BusinessException(BaseResponseCode.SQL_FILTER);
|
|
|
|
} |
|
|
|
// }
|
|
|
|
return src; |
|
|
|
return cleanedText; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
