一起来找bug茬-01

博客园 - BigOrang

在vim中搜索关键字 linux top快捷键 druid 获取数据库连接失败，一直wait.DruidDataSource.takeLast -Xmx3G -Xms2G 在已经指定了最小内存2G后，启动的时候，就会直接分配2G给jvm吗？还是动态从1m到2G逐步分配的 java8类加载器示例&类加载1.8和1.8+的区别 windows查看端口占用 vmware Docker 设置代理腾讯云域名托管到 cloudflare nginx 代理eureka后css/js/fonts无法访问 docker 基础镜像损坏 mysql SHOW PROFILE 将所有容器docker都重启，但是不重启mysql 正则 .*? 和 .* 的区别是什么 nginx打印所有配置内容 NoClassDefFoundError: org/slf4j/impl/StaticLoggerBinder kubesphere org.tmatesoft.svn.core.SVNException: svn: E160013: '/leifengyang/yygh-parent.git' path not found: 404 Not Found (https://gitee.com) 布隆过滤器原理及应用场景 linux中，使用alias，应该在/etc/bashrc 中写，还是~/.bashrc中写，哪个更好 java date 时间最大连续天数

一起来找bug茬-01

BigOrang · 2024-07-05 · via 博客园 - BigOrang


/**
 * @description 对HttpServletRequest 请求的数据进行转义，防止xss攻击
 * URL: home.html?mothod=space&pid=335511
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

  private byte[] body;

  public XssHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
    super(request);

    String method = request.getMethod();
    String pathInfo = request.getPathInfo();
    String contentType = request.getContentType();
    // 由于request并没有提供现成的获取json字符串的方法，所以我们需要将body中的流转为字符串
    BufferedReader reader = request.getReader();
    StringBuilder stringBuilder = new StringBuilder();
    String line = null;
    while ((line = reader.readLine()) != null) {
      stringBuilder.append(line);
    }
    String json = stringBuilder.toString();
    if ((HttpMethod.POST.equalsIgnoreCase(method) ||
      HttpMethod.PUT.equalsIgnoreCase(method)) && StrUtil.isNotEmpty(contentType) && contentType.contains(
      MediaType.APPLICATION_JSON_VALUE)) {
      json = HtmlUtil.cleanHtmlTag(json);
      json = json.replaceAll("iframe.*iframe","").replaceAll("javascript.*\\)","").replaceAll("alert","");
      body = json.getBytes();
    }
  }

  /**
   * 重写getParameter方法，用HtmlUtil转义后再返回
   */
  @Override
  public String getParameter(String name) {
    String value= super.getParameter(name);
    if(!StrUtil.hasEmpty(value)){
//      value= HtmlUtil.filter(value);
      value = value.replaceAll("<iframe.*iframe>","").replaceAll("iframe.*iframe","").replaceAll("javascript.*\\)","").replaceAll("alert","");
    }
    return value;
  }


  public static void main(String[] args) {
    String address = "<p>fegreef&lt;iframe+src=javascript:&amp;#37;&amp;#53;&amp8#67;&amp;#117;&amp;#48;&amp;#48;&amp8#54;&amp;#49;&amp;#37;&amp;#53;&amp;#67;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#67;&amp;#378&amp;#53;&amp;#67;&amp;#117;&amp;#48;&amp;#48;&amp;#54;&amp;#53;&amp;#37;&amp;#53;&amp;#67;&amp;#11F;&amp8#48;&amp;#48;&amp;#55;&amp;#50;&amp;#37;&amp;#53;&amp;#67;&amp;#117;&amp;#48;&amp;#48;&amp;#55;&amp;#52;(88888)&gt;&1t;/iframe&gt;e</p>alert909090></p>";

    String b = "<iframe src=//a.com></iframe>";

    System.out.println(b.replaceAll("iframe.*iframe","").replaceAll("javascript.*\\)","").replaceAll("alert.*",""));

  }

  /**
   * 重写getParameterValues方法，
   * 遍历每一个值，用HtmlUtil转义后再返回
   */
  @Override
  public String[] getParameterValues(String name) {
    String[] values= super.getParameterValues(name);
    if(values!=null){
      for (int i=0;i<values.length;i++){
        String value=values[i];
        if(!StrUtil.hasEmpty(value)){
//          value= HtmlUtil.filter(value);
          value = value.replaceAll("<iframe.*iframe>","").replaceAll("iframe.*iframe","").replaceAll("javascript.*\\)","").replaceAll("alert","");
        }
        values[i]=value;
      }
    }
    return values;
  }

  /**
   * 重写getParameterMap方法，
   * 拿到所有的k-v键值对，用LinkedHashMap接收，
   * key不变，value用HtmlUtil转义后再返回
   */
  @Override
  public Map<String, String[]> getParameterMap() {
    Map<String, String[]> parameters = super.getParameterMap();
    LinkedHashMap<String, String[]> map=new LinkedHashMap();
    if(parameters!=null){
      for (String key:parameters.keySet()){
        String[] values=parameters.get(key);
        for (int i = 0; i < values.length; i++) {
          String value = values[i];
          if (!StrUtil.hasEmpty(value)) {
//            value = HtmlUtil.filter(value);
            value = value.replaceAll("<iframe.*iframe>","").replaceAll("iframe.*iframe","").replaceAll("javascript.*\\)","").replaceAll("alert","");
          }
          values[i] = value;
        }
        map.put(key,values);
      }
    }
    return map;
  }

  /**
   * 重写getHeader方法，用HtmlUtil转义后再返回
   */
  @Override
  public String getHeader(String name) {
    String value= super.getHeader(name);
    if (!StrUtil.hasEmpty(value)) {
      value = HtmlUtil.filter(value);
    }
    return value;
  }

  @Override
  public ServletInputStream getInputStream(){
    if (body != null && body.length > 0) {
      final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(body);
      //匿名内部类，只需要重写read方法，把转义后的值，创建成ServletInputStream对象
      return new ServletInputStream() {
        @Override
        public boolean isFinished() {
          return byteArrayInputStream.available() == 0;
        }

        @Override
        public boolean isReady() {
          return true;
        }

        @Override
        public void setReadListener(ReadListener readListener) {

        }

        @Override
        public int read() throws IOException {
          return byteArrayInputStream.read();
        }
      };
    } else {
        try {
            return super.getInputStream();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
  }
    @Override
    public BufferedReader getReader(){
        return new BufferedReader(new InputStreamReader(this.getInputStream()));
    }
}

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。

推荐订阅源

博客园 - BigOrang