Browse Source

escaping of dangerous characters

xss
ale 4 years ago committed by kl
parent
commit
e635ca86c5
  1. 5
      server/pom.xml
  2. 4
      server/src/main/java/cn/keking/web/controller/FileController.java

5
server/pom.xml

@ -62,6 +62,11 @@
<artifactId>commons-lang3</artifactId>
<version>3.7</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-text</artifactId>
<version>1.9</version>
</dependency>
<!-- REDISSON -->
<dependency>
<groupId>org.redisson</groupId>

4
server/src/main/java/cn/keking/web/controller/FileController.java

@ -16,6 +16,7 @@ import org.springframework.web.multipart.MultipartFile;
import java.io.*;
import java.util.*;
import org.apache.commons.text.StringEscapeUtils;
/**
*
@ -36,6 +37,9 @@ public class FileController {
// 获取文件名
String fileName = file.getOriginalFilename();
//判断是否为IE浏览器的文件名,IE浏览器下文件名会带有盘符信息
// escaping dangerous characters to prevent XSS
fileName = StringEscapeUtils.escapeHtml4(fileName);
// Check for Unix-style path
int unixSep = fileName.lastIndexOf('/');
// Check for Windows-style path

Loading…
Cancel
Save