kanglai
/
kicc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

chore: xxs Optimization

master
wangxiang 2 years ago
parent
f9c88a9ed8
commit
a400e021df
No known key found for this signature in database
GPG Key ID: 1BA7946AB6B232E4
2 changed files with 240 additions and 234 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      kicc-common/kicc-common-core/src/main/java/com/cloud/kicc/common/core/util/HTMLFilterUtil.java
  2. 20
      kicc-common/kicc-common-security/src/main/java/com/cloud/kicc/common/security/xss/XssHttpServletRequestWrapper.java

6
kicc-common/kicc-common-core/src/main/java/com/cloud/kicc/common/core/util/HTMLFilterUtil.java
Unescape View File

@ -408,7 +408,7 @@ public final class HTMLFilterUtil { @@ -408,7 +408,7 @@ public final class HTMLFilterUtil {
Matcher m = P_ENTITY.matcher(s);
while (m.find()) {
final String match = m.group(1);
final int decimal = Integer.decode(match).intValue();
final int decimal = Integer.decode(match);
m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
}
m.appendTail(buf);
@ -418,7 +418,7 @@ public final class HTMLFilterUtil { @@ -418,7 +418,7 @@ public final class HTMLFilterUtil {
m = P_ENTITY_UNICODE.matcher(s);
while (m.find()) {
final String match = m.group(1);
final int decimal = Integer.valueOf(match, 16).intValue();
final int decimal = Integer.parseInt(match, 16);
m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
}
m.appendTail(buf);
@ -428,7 +428,7 @@ public final class HTMLFilterUtil { @@ -428,7 +428,7 @@ public final class HTMLFilterUtil {
m = P_ENCODE.matcher(s);
while (m.find()) {
final String match = m.group(1);
final int decimal = Integer.valueOf(match, 16).intValue();
final int decimal = Integer.parseInt(match, 16);
m.appendReplacement(buf, Matcher.quoteReplacement(chr(decimal)));
}
m.appendTail(buf);

20
kicc-common/kicc-common-security/src/main/java/com/cloud/kicc/common/security/xss/XssHttpServletRequestWrapper.java
Unescape View File

@ -17,6 +17,7 @@ import java.io.IOException; @@ -17,6 +17,7 @@ import java.io.IOException;
/**
*<p>
* 扩展 Security 默认 StrictHttpFirewallXSS脚本攻击过滤
* XSSsql过滤处理
*</p>
*
@ -26,10 +27,11 @@ import java.io.IOException; @@ -26,10 +27,11 @@ import java.io.IOException;
@Slf4j
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static String[] SQL_KEYWORDS = {"master", "truncate", "insert", "select"
private static final String[] SQL_KEYWORDS = {"master", "truncate", "insert", "select"
, "delete", "update", "declare", "alter", "drop", "sleep"};
// sql 替换字符
private static String REPLACE_STR = "";
private static final String REPLACE_STR = "";
/**
* @param request
@ -43,18 +45,22 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { @@ -43,18 +45,22 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
String[] values = super.getParameterValues(name);
if (values != null) {
int length = values.length;
String[] escapseValues = new String[length];
String[] escapeValues = new String[length];
for (int i = 0; i < length; i++) {
// 防xss攻击和过滤前后空格
escapseValues[i] = HtmlUtil.filter(values[i]).trim();
// 防xss攻击和过滤html相关脚本
escapeValues[i] = HtmlUtil.filter(values[i]).trim();
// 防sql注入
escapseValues[i] = cleanSqlKeyWords(escapseValues[i]);
escapeValues[i] = cleanSqlKeyWords(escapeValues[i]);
}
return escapseValues;
return escapeValues;
}
return super.getParameterValues(name);
}
public static void main(String[] args) {
System.out.println(new HTMLFilterUtil().filter("<p>123</p>").trim());
}
private String cleanSqlKeyWords(String value) {
String paramValue = value;
for (String keyword : SQL_KEYWORDS) {

Write Preview
Loading…
Cancel
Save