From e635ca86c5fcce53cc58bd141c9e4822db29e542 Mon Sep 17 00:00:00 2001
From: ale <ale@ale>
Date: Fri, 15 Jan 2021 21:32:41 +0100
Subject: [PATCH] escaping of dangerous characters

---
 server/pom.xml                                               | 5 +++++
 .../main/java/cn/keking/web/controller/FileController.java   | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/server/pom.xml b/server/pom.xml
index d9862b49..e35e959a 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -62,6 +62,11 @@
             <artifactId>commons-lang3</artifactId>
             <version>3.7</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.9</version>
+        </dependency>
         <!-- REDISSON -->
         <dependency>
             <groupId>org.redisson</groupId>
diff --git a/server/src/main/java/cn/keking/web/controller/FileController.java b/server/src/main/java/cn/keking/web/controller/FileController.java
index 165df5f5..33f06f8c 100644
--- a/server/src/main/java/cn/keking/web/controller/FileController.java
+++ b/server/src/main/java/cn/keking/web/controller/FileController.java
@@ -16,6 +16,7 @@ import org.springframework.web.multipart.MultipartFile;
 
 import java.io.*;
 import java.util.*;
+import org.apache.commons.text.StringEscapeUtils;
 
 /**
  *
@@ -36,6 +37,9 @@ public class FileController {
         // 获取文件名
         String fileName = file.getOriginalFilename();
         //判断是否为IE浏览器的文件名，IE浏览器下文件名会带有盘符信息
+        
+        // escaping dangerous characters to prevent XSS
+        fileName = StringEscapeUtils.escapeHtml4(fileName);
         // Check for Unix-style path
         int unixSep = fileName.lastIndexOf('/');
         // Check for Windows-style path