@@ -1,7 +1,6 @@
/** /**
* Copyright (c) 2005-2012 spring sid e.org.cn * Copyright (c) 2013-Now http://jee sit e.com All rights reserved.
* * No deletion without permission, or be held responsible to law.
* Licensed under the Apache License, Version 2.0 (the "License");
*/ */
package com.jeesite.common.codec ; package com.jeesite.common.codec ;
@@ -20,6 +19,7 @@ import jakarta.servlet.http.HttpServletRequest;
import java.io.UnsupportedEncodingException ; import java.io.UnsupportedEncodingException ;
import java.net.URLDecoder ; import java.net.URLDecoder ;
import java.net.URLEncoder ; import java.net.URLEncoder ;
import java.nio.charset.StandardCharsets ;
import java.util.List ; import java.util.List ;
import java.util.regex.Matcher ; import java.util.regex.Matcher ;
import java.util.regex.Pattern ; import java.util.regex.Pattern ;
@@ -73,11 +73,7 @@ public class EncodeUtils {
if ( StringUtils . isBlank ( input ) ) { if ( StringUtils . isBlank ( input ) ) {
return StringUtils . EMPTY ; return StringUtils . EMPTY ;
} }
try { return new String ( Base64 . encodeBase64 ( input . getBytes ( StandardCharsets . UTF_8 ) ) ) ;
return new String ( Base64 . encodeBase64 ( input . getBytes ( EncodeUtils . UTF_8 ) ) ) ;
} catch ( UnsupportedEncodingException e ) {
return " " ;
}
} }
// /** // /**
@@ -91,11 +87,7 @@ public class EncodeUtils {
* Base64解码. * Base64解码.
*/ */
public static byte [ ] decodeBase64 ( String input ) { public static byte [ ] decodeBase64 ( String input ) {
try { return Base64 . decodeBase64 ( input . getBytes ( StandardCharsets . UTF_8 ) ) ;
return Base64 . decodeBase64 ( input . getBytes ( EncodeUtils . UTF_8 ) ) ;
} catch ( UnsupportedEncodingException e ) {
throw ExceptionUtils . unchecked ( e ) ;
}
} }
/** /**
@@ -105,11 +97,7 @@ public class EncodeUtils {
if ( StringUtils . isBlank ( input ) ) { if ( StringUtils . isBlank ( input ) ) {
return StringUtils . EMPTY ; return StringUtils . EMPTY ;
} }
try { return new String ( Base64 . decodeBase64 ( input . getBytes ( StandardCharsets . UTF_8 ) ) , StandardCharsets . UTF_8 ) ;
return new String ( Base64 . decodeBase64 ( input . getBytes ( EncodeUtils . UTF_8 ) ) , EncodeUtils . UTF_8 ) ;
} catch ( UnsupportedEncodingException e ) {
return StringUtils . EMPTY ;
}
} }
/** /**
@@ -201,11 +189,11 @@ public class EncodeUtils {
} }
// 预编译XSS过滤正则表达式 // 预编译XSS过滤正则表达式
private static List < Pattern > xssPatterns = ListUtils . newArrayList ( private static final List < Pattern > xssPatterns = ListUtils . newArrayList (
Pattern . compile ( " (< \\ s*(script|link|style|iframe)([ \\ s \\ S]*?)(>|< \\ / \\ s* \\ 1 \\ s*>))|(</ \\ s*(script|link|style|iframe) \\ s*>) " , Pattern . CASE_INSENSITIVE ) , Pattern . compile ( " (< \\ s*(script|link|style|iframe)([ \\ s \\ S]*?)(>|< \\ / \\ s* \\ 1 \\ s*>))|(</ \\ s*(script|link|style|iframe) \\ s*>) " , Pattern . CASE_INSENSITIVE ) ,
Pattern . compile ( " \\ s*(href|src) \\ s*= \\ s*( \" \\ s*(javascript|vbscript):[^ \" ]+ \" |' \\ s*(javascript|vbscript):[^']+'|(javascript|vbscript):[^ \\ s]+) \\ s*(?=>) " , Pattern . CASE_INSENSITIVE ) , Pattern . compile ( " \\ s*(href|src) \\ s*= \\ s*( \" \\ s*(javascript|vbscript):[^ \" ]+ \" |' \\ s*(javascript|vbscript):[^']+'|(javascript|vbscript):[^ \\ s]+) \\ s*(?=>) " , Pattern . CASE_INSENSITIVE ) ,
Pattern . compile ( " \\ s*on[a-z]+ \\ s*= \\ s*( \" [^ \" ]+ \" |'[^']+'|[^ \\ s]+) \\ s*(?=>) " , Pattern . CASE_INSENSITIVE ) , Pattern . compile ( " \\ s*on[a-z]+ \\ s*= \\ s*( \" [^ \" ]+ \" |'[^']+'|[^ \\ s]+) \\ s*(?=>) " , Pattern . CASE_INSENSITIVE ) ,
Pattern . compile ( " (eval \\ ((.*?) \\ )|xpression \\ ((.*?) \\ )) " , Pattern . CASE_INSENSITIVE ) , Pattern . compile ( " (eval \\ ((.*?) \\ )|e xpression \\ ((.*?) \\ )) " , Pattern . CASE_INSENSITIVE ) ,
Pattern . compile ( " ^(javascript:|vbscript:) " , Pattern . CASE_INSENSITIVE ) Pattern . compile ( " ^(javascript:|vbscript:) " , Pattern . CASE_INSENSITIVE )
) ; ) ;
@@ -236,9 +224,9 @@ public class EncodeUtils {
} }
} }
// 如果开始不是HTML, , , // 如果开始不是HTML, , ,
if ( ! StringUtils . startsWithIgnoreCase ( value , " <!--HTML--> " ) // HTML if ( ! StringUtils . startsWithIgnoreCase ( value , " <!--HTML--> " ) // HTML
& & ! StringUtils . startsWithIgnoreCase ( value , " <?xml " ) // XML & & ! StringUtils . startsWithIgnoreCase ( value , " <?xml " ) // XML
& & ! StringUtils . contains ( value , " id= \" FormHtml \" " ) // JFlow & & ! StringUtils . contains ( value , " id= \" FormHtml \" " ) // JFlow
& & ! ( StringUtils . startsWith ( value , " { " ) & & StringUtils . endsWith ( value , " } " ) ) // JSON Object & & ! ( StringUtils . startsWith ( value , " { " ) & & StringUtils . endsWith ( value , " } " ) ) // JSON Object
& & ! ( StringUtils . startsWith ( value , " [ " ) & & StringUtils . endsWith ( value , " ] " ) ) // JSON Array & & ! ( StringUtils . startsWith ( value , " [ " ) & & StringUtils . endsWith ( value , " ] " ) ) // JSON Array
) { ) {
@@ -275,11 +263,11 @@ public class EncodeUtils {
} }
// 预编译SQL过滤正则表达式 // 预编译SQL过滤正则表达式
private static Pattern sqlPattern = Pattern . compile ( private static final Pattern sqlPattern = Pattern . compile (
" (?:')|(?:--)|(/ \\ *(?:.|[ \\ n \\ r])*? \\ */)|((extractvalue|updatexml|if|mid|database|rand|user)([ \\ s]*?) \\ () " " (?:')|(?:--)|(/ \\ *(?:.|[ \\ n \\ r])*? \\ */)|((extractvalue|updatexml|if|mid|database|rand|user)([ \\ s]*?) \\ () "
+ " |( \\ b(select|update|and|or|delete|insert|trancate|substr|ascii|declare|exec|count|master|into " + " |( \\ b(select|update|and|or|delete|insert|trancate|substr|ascii|declare|exec|count|master|into "
+ " |drop|execute|case when|sleep|union|load_file) \\ b) " , Pattern . CASE_INSENSITIVE ) ; + " |drop|execute|case when|sleep|union|load_file) \\ b) " , Pattern . CASE_INSENSITIVE ) ;
private static Pattern orderByPattern = Pattern . compile ( " [a-z0-9_ \\ . \\ , ]* " , Pattern . CASE_INSENSITIVE ) ; private static final Pattern orderByPattern = Pattern . compile ( " [a-z0-9_ \\ . \\ , ]* " , Pattern . CASE_INSENSITIVE ) ;
/** /**
* SQL过滤, , , * SQL过滤, , ,
@@ -331,7 +319,7 @@ public class EncodeUtils {
// xssFilter("<!--HTML-->12 你好 <script>window.location='url'我还在。"); // xssFilter("<!--HTML-->12 你好 <script>window.location='url'我还在。");
// xssFilter("<!--HTML-->13 你好 </script></iframe>我还在。"); // xssFilter("<!--HTML-->13 你好 </script></iframe>我还在。");
// xssFilter("<!--HTML-->14 你好 eval(abc)我还在。"); // xssFilter("<!--HTML-->14 你好 eval(abc)我还在。");
// xssFilter("<!--HTML-->15 你好 xpression(abc)我还在。"); // xssFilter("<!--HTML-->15 你好 e xpression(abc)我还在。");
// xssFilter("<!--HTML-->16 你好 <img src='abc.jpg' onerror='location='';alert(document.cookie);'></img>我还在。"); // xssFilter("<!--HTML-->16 你好 <img src='abc.jpg' onerror='location='';alert(document.cookie);'></img>我还在。");
// xssFilter("<!--HTML-->17 你好 <img src='abc.jpg' onerror='alert(document.cookie);'/>我还在。"); // xssFilter("<!--HTML-->17 你好 <img src='abc.jpg' onerror='alert(document.cookie);'/>我还在。");
// xssFilter("<!--HTML-->18 你好 <img src='abc.jpg' onerror='alert(document.cookie);'>我还在。"); // xssFilter("<!--HTML-->18 你好 <img src='abc.jpg' onerror='alert(document.cookie);'>我还在。");
thinkgem