From 11e1934d04ab4e3c560e2c1b116264a4b48fd4e4 Mon Sep 17 00:00:00 2001
From: thinkgem <thinkgem@163.com>
Date: Thu, 27 May 2021 19:52:15 +0800
Subject: [PATCH] =?UTF-8?q?xssFilter=E5=92=8CsqlFilter=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E9=99=84=E5=8A=A0=E5=8F=82=E6=95=B0=EF=BC=8C=E6=96=B9=E4=BE=BF?=
 =?UTF-8?q?=E8=BF=BD=E8=B8=AA=E8=B0=83=E7=94=A8=E6=9D=A5=E6=BA=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../com/jeesite/common/codec/EncodeUtils.java | 21 +++++++++++++++++--
 .../com/jeesite/common/network/IpUtils.java   |  2 +-
 .../filter/FormAuthenticationFilter.java      |  2 +-
 .../jeesite/modules/sys/utils/LogUtils.java   |  2 +-
 4 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
index ae012cc0..90fcbacc 100644
--- a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
+++ b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
@@ -12,6 +12,8 @@ import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.servlet.http.HttpServletRequest;
+
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
@@ -201,12 +203,20 @@ public class EncodeUtils {
 			Pattern.compile("(eval\\((.*?)\\)|xpression\\((.*?)\\))", Pattern.CASE_INSENSITIVE),
 			Pattern.compile("^(javascript:|vbscript:)", Pattern.CASE_INSENSITIVE)
 		);
-	
+
 	/**
 	 * XSS 非法字符过滤，内容以<!--HTML-->开头的用以下规则（保留标签）
 	 * @author ThinkGem
 	 */
 	public static String xssFilter(String text) {
+		return xssFilter(text, null);
+	}
+	
+	/**
+	 * XSS 非法字符过滤，内容以<!--HTML-->开头的用以下规则（保留标签）
+	 * @author ThinkGem
+	 */
+	public static String xssFilter(String text, HttpServletRequest request) {
 		String oriValue = StringUtils.trim(text);
 		if (text != null){
 			String value = oriValue;
@@ -265,12 +275,19 @@ public class EncodeUtils {
 			"(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|((extractvalue|updatexml)([\\s]*?)\\()|"
 			+ "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|case when|sleep|union|load_file)\\b)",
 			Pattern.CASE_INSENSITIVE);
-	
+
 	/**
 	 * SQL过滤，防止注入，传入参数输入有select相关代码，替换空。
 	 * @author ThinkGem
 	 */
 	public static String sqlFilter(String text){
+		return sqlFilter(text, null);
+	}
+	/**
+	 * SQL过滤，防止注入，传入参数输入有select相关代码，替换空。
+	 * @author ThinkGem
+	 */
+	public static String sqlFilter(String text, String source){
 		if (text != null){
 			String value = text;
 			Matcher matcher = sqlPattern.matcher(value);
diff --git a/common/src/main/java/com/jeesite/common/network/IpUtils.java b/common/src/main/java/com/jeesite/common/network/IpUtils.java
index 4c9cdb4f..b128b17d 100644
--- a/common/src/main/java/com/jeesite/common/network/IpUtils.java
+++ b/common/src/main/java/com/jeesite/common/network/IpUtils.java
@@ -27,7 +27,7 @@ public class IpUtils {
 			ip = request.getRemoteAddr();
 		}
 		if (StringUtils.isNotBlank(ip)){
-			ip = EncodeUtils.xssFilter(ip);
+			ip = EncodeUtils.xssFilter(ip, request);
 			ip = StringUtils.split(ip, ",")[0];
 		}
 		if (StringUtils.isBlank(ip)){
diff --git a/modules/core/src/main/java/com/jeesite/common/shiro/filter/FormAuthenticationFilter.java b/modules/core/src/main/java/com/jeesite/common/shiro/filter/FormAuthenticationFilter.java
index 3c89fc47..3d926346 100644
--- a/modules/core/src/main/java/com/jeesite/common/shiro/filter/FormAuthenticationFilter.java
+++ b/modules/core/src/main/java/com/jeesite/common/shiro/filter/FormAuthenticationFilter.java
@@ -115,7 +115,7 @@ public class FormAuthenticationFilter extends org.apache.shiro.web.filter.authc.
 		}
 		// 登录时判断是否需要记住用户名
 		if (WebUtils.isTrue(request, REMEMBER_USERCODE_PARAM)) {
-			rememberUserCodeCookie.setValue(EncodeUtils.encodeUrl(EncodeUtils.xssFilter(username)));
+			rememberUserCodeCookie.setValue(EncodeUtils.encodeUrl(EncodeUtils.xssFilter(username, (HttpServletRequest)request)));
 			rememberUserCodeCookie.saveTo((HttpServletRequest)request, (HttpServletResponse)response);
 		} else {
 			rememberUserCodeCookie.removeFrom((HttpServletRequest)request, (HttpServletResponse)response);
diff --git a/modules/core/src/main/java/com/jeesite/modules/sys/utils/LogUtils.java b/modules/core/src/main/java/com/jeesite/modules/sys/utils/LogUtils.java
index fa59ab63..51c4e726 100644
--- a/modules/core/src/main/java/com/jeesite/modules/sys/utils/LogUtils.java
+++ b/modules/core/src/main/java/com/jeesite/modules/sys/utils/LogUtils.java
@@ -94,7 +94,7 @@ public class LogUtils {
 		}
 		log.setServerAddr(request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort());
 		log.setRemoteAddr(IpUtils.getRemoteAddr(request));
-		log.setUserAgent(EncodeUtils.xssFilter(request.getHeader("User-Agent")));
+		log.setUserAgent(EncodeUtils.xssFilter(request.getHeader("User-Agent"), request));
 		UserAgent userAgent = UserAgent.parseUserAgentString(log.getUserAgent());
 		log.setDeviceName(userAgent.getOperatingSystem().getName());
 		log.setBrowserName(userAgent.getBrowser().getName());