From b0e6ab234e44cc91eae9f23b525b08815f15eeac Mon Sep 17 00:00:00 2001
From: thinkgem <thinkgem@163.com>
Date: Wed, 9 Jul 2025 13:03:10 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=8C=E5=96=84xss=E6=AD=A3=E5=88=99?=
 =?UTF-8?q?=E8=A1=A8=E8=BE=BE=E5=BC=8F=EF=BC=8C=E5=A4=84=E7=90=86on?=
 =?UTF-8?q?=E5=89=8D=E9=9D=A2=E6=98=AF/=E7=9A=84=E9=97=AE=E9=A2=98?=
 =?UTF-8?q?=EF=BC=9B=E5=AE=8C=E5=96=84beetl=E7=9A=84xss=E6=A0=BC=E5=BC=8F?=
 =?UTF-8?q?=E5=8C=96=EF=BC=8C=E9=BB=98=E8=AE=A4=E4=BD=BF=E7=94=A8=E9=9D=9E?=
 =?UTF-8?q?html=E6=96=87=E6=9C=AC=E5=A4=84=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../com/jeesite/common/codec/EncodeUtils.java |  2 +-
 .../jeesite/test/codec/EncodeUtilsTest.java   | 74 +++++++++++--------
 .../views/include/sysIndex/leftMenu.html      |  2 +-
 .../views/include/sysIndex/topMenuOffice.html |  2 +-
 .../views/include/sysIndex/topMenuUser.html   |  2 +-
 .../views/modules/sys/user/userInfo.html      |  2 +-
 6 files changed, 48 insertions(+), 36 deletions(-)

diff --git a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
index 1b08d643..4f3be36e 100644
--- a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
+++ b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
@@ -192,7 +192,7 @@ public class EncodeUtils {
 	private static final List<Pattern> xssPatterns = ListUtils.newArrayList(
 			Pattern.compile("(<\\s*(script|link|style|iframe)([\\s\\S]*?)(>|<\\/\\s*\\1\\s*>))|(</\\s*(script|link|style|iframe)\\s*>)", Pattern.CASE_INSENSITIVE),
 			Pattern.compile("\\s*(href|src)\\s*=\\s*(\"\\s*(javascript|vbscript):[^\"]+\"|'\\s*(javascript|vbscript):[^']+'|(javascript|vbscript):[^\\s]+)\\s*(?=>)", Pattern.CASE_INSENSITIVE),
-			Pattern.compile("\\s*on[a-z]+\\s*=\\s*(\"[^\"]+\"|'[^']+'|[^\\s]+)\\s*(?=>)", Pattern.CASE_INSENSITIVE),
+			Pattern.compile("\\s*/?\\s*on[a-zA-Z]+\\s*=\\s*(['\"]?)(.*?)\\1(?=\\s|>|/>)", Pattern.CASE_INSENSITIVE),
 			Pattern.compile("(eval\\((.*?)\\)|expression\\((.*?)\\))", Pattern.CASE_INSENSITIVE),
 			Pattern.compile("^(javascript:|vbscript:)", Pattern.CASE_INSENSITIVE)
 	);
diff --git a/common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java b/common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java
index de24d4f0..73039d3f 100644
--- a/common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java
+++ b/common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java
@@ -14,37 +14,49 @@ import com.jeesite.common.codec.EncodeUtils;
 public class EncodeUtilsTest {
 
 	public static void main(String[] args) {
-		EncodeUtils.xssFilter("1 你好 <script>alert(document.cookie)</script>我还在。");
-		EncodeUtils.xssFilter("2 你好 <strong>加粗文字</strong>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->3 你好 \"><strong>加粗文字</strong>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->4 你好 <iframe src=\"abcdef\"></iframe><strong>加粗文字</strong>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->5 你好 <iframe src=\"abcdef\"/><strong>加粗文字</strong>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->6 你好 <iframe src=\"abcdef\"><strong>加粗文字</strong>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->7 你好 <script type=\"text/javascript\">alert(document.cookie)</script>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->8 你好 <script\n type=\"text/javascript\">\nalert(document.cookie)\n</script>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->9 你好 <script src='' onerror='alert(document.cookie)'></script>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->10 你好 <script type=text/javascript>alert()我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->11 你好 <script>alert(document.cookie)</script>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->12 你好 <script>window.location='url'我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->13 你好 </script></iframe>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->14 你好 eval(abc)我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->15 你好 expression(abc)我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->16 你好 <img src='abc.jpg' onerror='location='';alert(document.cookie);'></img>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->17 你好 <img src='abc.jpg' onerror='alert(document.cookie);'/>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->18 你好 <img src='abc.jpg' onerror='alert(document.cookie);'>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->19 你好 <a onload='alert(\"abc\")'>hello</a>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->20 你好 <a href=\"/abc\">hello</a>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->21 你好 <a href='/abc'>hello</a>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->22 你好 <a href='vbscript:alert(\"abc\");'>hello</a>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->23 你好 <a href='javascript:alert(\"abc\");'>hello</a>我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->24 你好 ?abc=def&hello=123&world={\"a\":1}我还在。");
-		EncodeUtils.xssFilter("<!--HTML-->25 你好 ?abc=def&hello=123&world={'a':1}我还在。");
-		EncodeUtils.sqlFilter("1 你好 select * from xxx where abc=def and 1=1我还在。");
-		EncodeUtils.sqlFilter("2 你好 insert into xxx values(1,2,3,4,5)我还在。");
-		EncodeUtils.sqlFilter("3 你好 delete from xxx我还在。");
-		EncodeUtils.sqlFilter("4 a.audit_result asc,case when 1 like case when length(database())=6 then 1 else exp(111) end then 1 else 1/0 end", "orderBy");
-		EncodeUtils.sqlFilter("5 if(1=2,1,SLEEP(10)), if(mid(database(),{},1)=\\\"{}\\\",a.id,a.login_name)", "orderBy");
-		EncodeUtils.sqlFilter("6 a.audit_result asc, b.audit_result2 desc, b.AuditResult3 desc", "orderBy");
+		int i = 0;
+		xssFilter(i++, "你好 <script>alert(document.cookie)</script>我还在。");
+		xssFilter(i++, "你好 <strong>加粗文字</strong>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 \"><strong>加粗文字</strong>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <iframe src=\"abcdef\"></iframe><strong>加粗文字</strong>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <iframe src=\"abcdef\"/><strong>加粗文字</strong>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <iframe src=\"abcdef\"><strong>加粗文字</strong>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <script type=\"text/javascript\">alert(document.cookie)</script>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <script\n type=\"text/javascript\">\nalert(document.cookie)\n</script>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <script src='' onerror='alert(document.cookie)'></script>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <script type=text/javascript>alert()我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <script>alert(document.cookie)</script>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <script>window.location='url'我还在。");
+		xssFilter(i++, "<!--HTML-->你好 </script></iframe>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 eval(abc)我还在。");
+		xssFilter(i++, "<!--HTML-->你好 expression(abc)我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <img src='abc.jpg' onerror='location='';alert(document.cookie);'></img>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <img src='abc.jpg' onerror='alert(document.cookie);'/>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <img src='abc.jpg' onerror='alert(document.cookie);'>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <a onload='alert(\"abc\")'>hello</a>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <a href=\"/abc\">hello</a>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <a href='/abc'>hello</a>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <a href='vbscript:alert(\"abc\");'>hello</a>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 <a href='javascript:alert(\"abc\");'>hello</a>我还在。");
+		xssFilter(i++, "<!--HTML-->你好 ?abc=def&hello=123&world={\"a\":1}我还在。");
+		xssFilter(i++, "<!--HTML-->你好 ?abc=def&hello=123&world={'a':1}我还在。");
+		xssFilter(i++, "<!--HTML-->\"><svg/ONLOAD=confirm(3) />");
+		sqlFilter(i++, "你好 select * from xxx where abc=def and 1=1我还在。", "common");
+		sqlFilter(i++, "你好 insert into xxx values(1,2,3,4,5)我还在。", "common");
+		sqlFilter(i++, "你好 delete from xxx我还在。", "common");
+		sqlFilter(i++, "a.audit_result asc,case when 1 like case when length(database())=6 then 1 else exp(111) end then 1 else 1/0 end", "orderBy");
+		sqlFilter(i++, "if(1=2,1,SLEEP(10)), if(mid(database(),{},1)=\\\"{}\\\",a.id,a.login_name)", "orderBy");
+		sqlFilter(i++, "a.audit_result asc, b.audit_result2 desc, b.AuditResult3 desc", "orderBy");
+	}
+
+	private static void xssFilter(int num, String text) {
+		String text2 = EncodeUtils.xssFilter(text);
+		System.out.println(num + ". " + text + "\t ==> \t" + text2 + "\t ==> \t" + text.equals(text2));
+	}
+
+	private static void sqlFilter(int num, String text, String source) {
+		String text2 = EncodeUtils.sqlFilter(text, source);
+		System.out.println(num + ". " + text + "\t ==> \t" + text2 + "\t ==> \t" + text.equals(text2));
 	}
 
 }
diff --git a/modules/core/src/main/resources/views/include/sysIndex/leftMenu.html b/modules/core/src/main/resources/views/include/sysIndex/leftMenu.html
index 2935e61a..a56291f2 100644
--- a/modules/core/src/main/resources/views/include/sysIndex/leftMenu.html
+++ b/modules/core/src/main/resources/views/include/sysIndex/leftMenu.html
@@ -6,7 +6,7 @@
 			<script src="${ctxStatic}/modules/sys/leftMenu.js"></script>
 		</div>
 		<div class="pull-left info">
-			<p>${user.userName}</p>
+			<p>${user.userName,xss}</p>
 			<a href="javascript:"><i class="fa fa-circle text-success"></i> ${text('在线')}</a>
 			<a href="${ctx}/logout"><i class="fa fa-sign-out text-danger"></i> ${text('注销')}</a>
 		</div>
diff --git a/modules/core/src/main/resources/views/include/sysIndex/topMenuOffice.html b/modules/core/src/main/resources/views/include/sysIndex/topMenuOffice.html
index fb218aca..62cc2db5 100644
--- a/modules/core/src/main/resources/views/include/sysIndex/topMenuOffice.html
+++ b/modules/core/src/main/resources/views/include/sysIndex/topMenuOffice.html
@@ -1,7 +1,7 @@
 <% if(toBoolean(switchOffice!)){ %>
 <li>
 	<a href="javascript:" id="switchOffice">
-		<i class="fa icon-grid" style="font-size:13px;"></i> ${officeName!}
+		<i class="fa icon-grid" style="font-size:13px;"></i> ${officeName!,xss}
 	</a>
 	<div class="hide"><#form:treeselect id="switchOfficeSelect" title="${text('部门切换')}" allowClear="true"
 		url="${ctx}/sys/empUser/officeListData?isShowCode=true" callbackFuncName="switchOfficeSelectCallback"
diff --git a/modules/core/src/main/resources/views/include/sysIndex/topMenuUser.html b/modules/core/src/main/resources/views/include/sysIndex/topMenuUser.html
index 6971c507..f55ecfd4 100644
--- a/modules/core/src/main/resources/views/include/sysIndex/topMenuUser.html
+++ b/modules/core/src/main/resources/views/include/sysIndex/topMenuUser.html
@@ -1,7 +1,7 @@
 <li class="dropdown user-menu mr5">
 	<a href="javascript:" class="dropdown-toggle" data-toggle="dropdown" data-hover="dropdown">
 		<img src="${@user.getAvatarUrl().replaceFirst('/ctxPath', ctxPath)}" class="user-image">
-		<span class="hidden-xs">${user.userName}</span>
+		<span class="hidden-xs">${user.userName,xss}</span>
 	</a>
 	<ul class="dropdown-menu">
 		<li class="mt5">
diff --git a/modules/core/src/main/resources/views/modules/sys/user/userInfo.html b/modules/core/src/main/resources/views/modules/sys/user/userInfo.html
index 28382e6c..2f1069ce 100644
--- a/modules/core/src/main/resources/views/modules/sys/user/userInfo.html
+++ b/modules/core/src/main/resources/views/modules/sys/user/userInfo.html
@@ -23,7 +23,7 @@
 							<div class="box-body box-profile">
 								<img id="avatarImg" class="profile-user-img img-responsive img-circle"
 									src="${@user.getAvatarUrl().replaceFirst('/ctxPath', ctxPath)}?__t=${date().time}">
-								<h3 class="profile-username text-center">${user.userName}</h3>
+								<h3 class="profile-username text-center">${user.userName,xss}</h3>
 								<p class="text-muted text-center">
 									<#form:radio path="sex" dictType="sys_user_sex" class="form-control required"/>
 								</p>