From 7758fe59bf0144d1d2f8efcf2e117ccabf1b02bb Mon Sep 17 00:00:00 2001 From: thinkgem Date: Fri, 11 May 2018 22:04:37 +0800 Subject: [PATCH] =?UTF-8?q?XSS=E9=9D=9E=E6=B3=95=E5=AD=97=E7=AC=A6?= =?UTF-8?q?=E8=BF=87=E6=BB=A4=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/com/jeesite/common/codec/EncodeUtils.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java index af3d685f..d461b25a 100644 --- a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java +++ b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java @@ -183,7 +183,7 @@ public class EncodeUtils { } // 预编译XSS过滤正则表达式 - private static Pattern p1 = Pattern.compile("<\\s*(script|link|style|iframe)(.|\\n)*<\\s*\\/\\s*\\1\\s*>\\s*", Pattern.CASE_INSENSITIVE); + private static Pattern p1 = Pattern.compile("<\\s*(script|link|style|iframe)\\s([\\s\\S]+?)<\\/\\s*\\1\\s*>", Pattern.CASE_INSENSITIVE); private static Pattern p2 = Pattern.compile("\\s*on[a-z]+\\s*=\\s*(\"[^\"]+\"|'[^']+'|[^\\s]+)\\s*(?=>)", Pattern.CASE_INSENSITIVE); private static Pattern p3 = Pattern.compile("\\s*(href|src)\\s*=\\s*(\"\\s*(javascript|vbscript):[^\"]+\"|'\\s*(javascript|vbscript):[^']+'|(javascript|vbscript):[^\\s]+)\\s*(?=>)", Pattern.CASE_INSENSITIVE); private static Pattern p4 = Pattern.compile("epression\\((.|\\n)*\\);?", Pattern.CASE_INSENSITIVE); @@ -191,7 +191,7 @@ public class EncodeUtils { /** * XSS 非法字符过滤 * 内容以开头的用以下规则(保留标签,去掉js脚本): - * 1、<(script|link|style|iframe)(.|\n)*<\/\1>\s* + * 1、<\s*(script|link|style|iframe)\s([\s\S]+?)<\/\s*\1\s*> * 2、\s*on[a-z]+\s*=\s*("[^"]+"|'[^']+'|[^\s]+)\s*(?=>) * 3、\s*(href|src)\s*=\s*("\s*(javascript|vbscript):[^"]+"|'\s*(javascript|vbscript):[^']+'|(javascript|vbscript):[^\s]+)\s*(?=>) * 4、epression\((.|\n)*\);?