增加参数 web.xssFilterExcludeUri
This commit is contained in:
thinkgem
@@ -222,6 +222,10 @@ public class EncodeUtils {
|
|||||||
* @author ThinkGem
|
* @author ThinkGem
|
||||||
*/
|
*/
|
||||||
public static String xssFilter(String text, HttpServletRequest request) {
|
public static String xssFilter(String text, HttpServletRequest request) {
|
||||||
|
request = (request != null ? request : ServletUtils.getRequest());
|
||||||
|
if (request != null && StringUtils.containsAny(request.getRequestURI(), ServletUtils.XSS_FILE_EXCLUDE_URI)) {
|
||||||
|
return text;
|
||||||
|
}
|
||||||
String oriValue = StringUtils.trim(text);
|
String oriValue = StringUtils.trim(text);
|
||||||
if (text != null){
|
if (text != null){
|
||||||
String value = oriValue;
|
String value = oriValue;
|
||||||
@@ -237,8 +241,6 @@ public class EncodeUtils {
|
|||||||
&& !StringUtils.contains(value, "id=\"FormHtml\"") // JFlow
|
&& !StringUtils.contains(value, "id=\"FormHtml\"") // JFlow
|
||||||
&& !(StringUtils.startsWith(value, "{") && StringUtils.endsWith(value, "}")) // JSON Object
|
&& !(StringUtils.startsWith(value, "{") && StringUtils.endsWith(value, "}")) // JSON Object
|
||||||
&& !(StringUtils.startsWith(value, "[") && StringUtils.endsWith(value, "]")) // JSON Array
|
&& !(StringUtils.startsWith(value, "[") && StringUtils.endsWith(value, "]")) // JSON Array
|
||||||
&& !(StringUtils.containsAny((request != null ? request : ServletUtils.getRequest())
|
|
||||||
.getRequestURI(), "/ureport/", "/visual/")) // UReport、Visual
|
|
||||||
){
|
){
|
||||||
StringBuilder sb = new StringBuilder();
|
StringBuilder sb = new StringBuilder();
|
||||||
for (int i = 0; i < value.length(); i++) {
|
for (int i = 0; i < value.length(); i++) {
|
||||||
@@ -293,6 +295,7 @@ public class EncodeUtils {
|
|||||||
public static String sqlFilter(String text){
|
public static String sqlFilter(String text){
|
||||||
return sqlFilter(text, "common");
|
return sqlFilter(text, "common");
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* SQL过滤,防止注入,传入参数输入有select相关代码,替换空。
|
* SQL过滤,防止注入,传入参数输入有select相关代码,替换空。
|
||||||
* @author ThinkGem
|
* @author ThinkGem
|
||||||
|
|||||||
@@ -38,6 +38,9 @@ public class ServletUtils {
|
|||||||
private static final String[] STATIC_FILE = StringUtils.splitComma(PROPS.getProperty("web.staticFile"));
|
private static final String[] STATIC_FILE = StringUtils.splitComma(PROPS.getProperty("web.staticFile"));
|
||||||
private static final String[] STATIC_FILE_EXCLUDE_URI = StringUtils.splitComma(PROPS.getProperty("web.staticFileExcludeUri"));
|
private static final String[] STATIC_FILE_EXCLUDE_URI = StringUtils.splitComma(PROPS.getProperty("web.staticFileExcludeUri"));
|
||||||
|
|
||||||
|
// XSS 过滤器要排除的URI地址
|
||||||
|
public static final String[] XSS_FILE_EXCLUDE_URI = StringUtils.splitComma(PROPS.getProperty("web.xssFilterExcludeUri"));
|
||||||
|
|
||||||
// AJAX 请求参数和请求头名
|
// AJAX 请求参数和请求头名
|
||||||
public static final String AJAX_PARAM_NAME = PROPS.getProperty("web.ajaxParamName", "__ajax");
|
public static final String AJAX_PARAM_NAME = PROPS.getProperty("web.ajaxParamName", "__ajax");
|
||||||
public static final String AJAX_HEADER_NAME = PROPS.getProperty("web.ajaxHeaderName", "x-ajax");
|
public static final String AJAX_HEADER_NAME = PROPS.getProperty("web.ajaxHeaderName", "x-ajax");
|
||||||
@@ -125,13 +128,9 @@ public class ServletUtils {
|
|||||||
e.printStackTrace();
|
e.printStackTrace();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (STATIC_FILE_EXCLUDE_URI != null){
|
if (StringUtils.containsAny(uri, STATIC_FILE_EXCLUDE_URI)) {
|
||||||
for (String s : STATIC_FILE_EXCLUDE_URI){
|
|
||||||
if (StringUtils.contains(uri, s)){
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
}
|
|
||||||
if (StringUtils.endsWithAny(uri, STATIC_FILE)){
|
if (StringUtils.endsWithAny(uri, STATIC_FILE)){
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -646,6 +646,9 @@ web:
|
|||||||
# 严格模式(更严格的数据安全验证)
|
# 严格模式(更严格的数据安全验证)
|
||||||
strictMode: false
|
strictMode: false
|
||||||
|
|
||||||
|
# 所有请求信息将进行xss过滤,这里列出不被xss过滤的地址
|
||||||
|
xssFilterExcludeUri: /ureport/,/visual/
|
||||||
|
|
||||||
# 自定义正则表达式验证(主键、登录名)
|
# 自定义正则表达式验证(主键、登录名)
|
||||||
validator:
|
validator:
|
||||||
id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'
|
id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'
|
||||||
|
|||||||
@@ -787,6 +787,9 @@ web:
|
|||||||
# # 严格模式(更严格的数据安全验证)
|
# # 严格模式(更严格的数据安全验证)
|
||||||
# strictMode: false
|
# strictMode: false
|
||||||
#
|
#
|
||||||
|
# # 所有请求信息将进行xss过滤,这里列出不被xss过滤的地址
|
||||||
|
# xssFilterExcludeUri: /ureport/,/visual/
|
||||||
|
#
|
||||||
# # 自定义正则表达式验证(主键、登录名)
|
# # 自定义正则表达式验证(主键、登录名)
|
||||||
# validator:
|
# validator:
|
||||||
# id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'
|
# id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'
|
||||||
|
|||||||
@@ -787,6 +787,9 @@ web:
|
|||||||
# # 严格模式(更严格的数据安全验证)
|
# # 严格模式(更严格的数据安全验证)
|
||||||
# strictMode: false
|
# strictMode: false
|
||||||
#
|
#
|
||||||
|
# # 所有请求信息将进行xss过滤,这里列出不被xss过滤的地址
|
||||||
|
# xssFilterExcludeUri: /ureport/,/visual/
|
||||||
|
#
|
||||||
# # 自定义正则表达式验证(主键、登录名)
|
# # 自定义正则表达式验证(主键、登录名)
|
||||||
# validator:
|
# validator:
|
||||||
# id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'
|
# id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'
|
||||||
|
|||||||
Reference in New Issue
Block a user