xssFilter和sqlFilter增加附加参数，方便追踪调用来源

2021-05-27 19:52:15 +08:00
parent ff04855966
commit 11e1934d04
4 changed files with 22 additions and 5 deletions
--- a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
+++ b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
@@ -12,6 +12,8 @@ import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
@@ -201,12 +203,20 @@ public class EncodeUtils {
 			Pattern.compile("(eval\\((.*?)\\)|xpression\\((.*?)\\))", Pattern.CASE_INSENSITIVE),
 			Pattern.compile("^(javascript:|vbscript:)", Pattern.CASE_INSENSITIVE)
 		);
-	
+
 	/**
 	 * XSS 非法字符过滤，内容以<!--HTML-->开头的用以下规则（保留标签）
 	 * @author ThinkGem
 	 */
 	public static String xssFilter(String text) {
 		return xssFilter(text, null);
 	}
 	/**
 	 * XSS 非法字符过滤，内容以<!--HTML-->开头的用以下规则（保留标签）
 	 * @author ThinkGem
 	 */
 	public static String xssFilter(String text, HttpServletRequest request) {
 		String oriValue = StringUtils.trim(text);
 		if (text != null){
 			String value = oriValue;
@@ -265,12 +275,19 @@ public class EncodeUtils {
 			"(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|((extractvalue|updatexml)([\\s]*?)\\()|"
 			+ "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|case when|sleep|union|load_file)\\b)",
 			Pattern.CASE_INSENSITIVE);
-	
+
 	/**
 	 * SQL过滤，防止注入，传入参数输入有select相关代码，替换空。
 	 * @author ThinkGem
 	 */
 	public static String sqlFilter(String text){
 		return sqlFilter(text, null);
 	}
 	/**
 	 * SQL过滤，防止注入，传入参数输入有select相关代码，替换空。
 	 * @author ThinkGem
 	 */
 	public static String sqlFilter(String text, String source){
 		if (text != null){
 			String value = text;
 			Matcher matcher = sqlPattern.matcher(value);
--- a/common/src/main/java/com/jeesite/common/network/IpUtils.java
+++ b/common/src/main/java/com/jeesite/common/network/IpUtils.java
@@ -27,7 +27,7 @@ public class IpUtils {
 			ip = request.getRemoteAddr();
 		}
 		if (StringUtils.isNotBlank(ip)){
-			ip = EncodeUtils.xssFilter(ip);
+			ip = EncodeUtils.xssFilter(ip, request);
 			ip = StringUtils.split(ip, ",")[0];
 		}
 		if (StringUtils.isBlank(ip)){
--- a/modules/core/src/main/java/com/jeesite/common/shiro/filter/FormAuthenticationFilter.java
+++ b/modules/core/src/main/java/com/jeesite/common/shiro/filter/FormAuthenticationFilter.java
@@ -115,7 +115,7 @@ public class FormAuthenticationFilter extends org.apache.shiro.web.filter.authc.
 		}
 		// 登录时判断是否需要记住用户名
 		if (WebUtils.isTrue(request, REMEMBER_USERCODE_PARAM)) {
-			rememberUserCodeCookie.setValue(EncodeUtils.encodeUrl(EncodeUtils.xssFilter(username)));
+			rememberUserCodeCookie.setValue(EncodeUtils.encodeUrl(EncodeUtils.xssFilter(username, (HttpServletRequest)request)));
 			rememberUserCodeCookie.saveTo((HttpServletRequest)request, (HttpServletResponse)response);
 		} else {
 			rememberUserCodeCookie.removeFrom((HttpServletRequest)request, (HttpServletResponse)response);
--- a/modules/core/src/main/java/com/jeesite/modules/sys/utils/LogUtils.java
+++ b/modules/core/src/main/java/com/jeesite/modules/sys/utils/LogUtils.java
@@ -94,7 +94,7 @@ public class LogUtils {
 		}
 		log.setServerAddr(request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort());
 		log.setRemoteAddr(IpUtils.getRemoteAddr(request));
-		log.setUserAgent(EncodeUtils.xssFilter(request.getHeader("User-Agent")));
+		log.setUserAgent(EncodeUtils.xssFilter(request.getHeader("User-Agent"), request));
 		UserAgent userAgent = UserAgent.parseUserAgentString(log.getUserAgent());
 		log.setDeviceName(userAgent.getOperatingSystem().getName());
 		log.setBrowserName(userAgent.getBrowser().getName());