xss

e0ff0092 · xiandafu · 7fecf4df · e0ff0092 · e0ff0092
Commit e0ff0092 authored Feb 25, 2018 by xiandafu
--- a/admin-core/src/main/java/com/ibeetl/admin/core/conf/BeetlConf.java
+++ b/admin-core/src/main/java/com/ibeetl/admin/core/conf/BeetlConf.java
@@ -31,6 +31,7 @@ import com.ibeetl.admin.core.util.beetl.OrgFunction;
 import com.ibeetl.admin.core.util.beetl.RoleFunction;
 import com.ibeetl.admin.core.util.beetl.SearchCondtionFunction;
 import com.ibeetl.admin.core.util.beetl.SysFunctionTreeFunction;
+import com.ibeetl.admin.core.util.beetl.XXSDefenderFormat;
 import com.ibeetl.admin.core.web.query.QueryParser;
 import com.ibeetl.starter.BeetlTemplateCustomize;
 import com.ibeetl.starter.ObjectMapperJsonUtil;
@@ -103,6 +104,7 @@ public class BeetlConf {
                groupTemplate.registerFunction("core.dictLevel", dictUpQueryFunction);
                groupTemplate.registerFunction("core.dictListByValue", dictQueryByValueFunction);
                groupTemplate.registerFunction("core.roles", roleFunction);
+                groupTemplate.registerFormat("xss", new XXSDefenderFormat());

                // 模板页面判断是否有按钮权限,比如canAccess
                groupTemplate.registerFunction("canAccess", new Function() {

--- a/admin-core/src/main/java/com/ibeetl/admin/core/util/beetl/XXSDefenderFormat.java
+++ b/admin-core/src/main/java/com/ibeetl/admin/core/util/beetl/XXSDefenderFormat.java
+package com.ibeetl.admin.core.util.beetl;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.beetl.core.Format;
+
+public class XXSDefenderFormat implements Format {
+
+    @Override
+    public Object format(Object data, String pattern) {
+        if(data==null){
+            return data;
+        }
+        
+        if(data instanceof String){
+            String js = (String)data;
+            String str = StringEscapeUtils.escapeHtml4(js);
+            if(StringUtils.isNotEmpty(pattern)){
+                int len = Integer.parseInt(pattern);
+                if(str.length()>len){
+                    str = str.substring(0, len); 
+                }
+                
+            }
+            return str;
+        }else{
+            return data;
+        }
+        
+    }
+    
+    public static void main(String[] args){
+        String js =  "中文<script>hi</script><h5></h5>";
+        System.out.println(js);
+        js = StringEscapeUtils.escapeHtml4(js);
+        System.out.println(js);
+    }
+
+}