HTML过滤器改为将html转义

pull/193/head
RuoYi 2020-07-28 17:21:24 +08:00
parent 3025017d0f
commit 31c3d4021e
4 changed files with 8 additions and 8 deletions

View File

@ -62,7 +62,10 @@
}, },
{ {
field: 'sessionId', field: 'sessionId',
title: '会话编号' title: '会话编号',
formatter: function(value, row, index) {
return $.table.tooltip(value);
}
}, },
{ {
field: 'loginName', field: 'loginName',

View File

@ -147,6 +147,7 @@ public class EscapeUtil
String html = "<script>alert(1);</script>"; String html = "<script>alert(1);</script>";
// String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>"; // String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>";
// String html = "<123"; // String html = "<123";
// String html = "123>";
System.out.println(EscapeUtil.clean(html)); System.out.println(EscapeUtil.clean(html));
System.out.println(EscapeUtil.escape(html)); System.out.println(EscapeUtil.escape(html));
System.out.println(EscapeUtil.unescape(html)); System.out.println(EscapeUtil.unescape(html));

View File

@ -35,7 +35,7 @@ public final class HTMLFilter
private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))"); private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL); private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
private static final Pattern P_END_ARROW = Pattern.compile("^>"); private static final Pattern P_END_ARROW = Pattern.compile("^>");
// private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)"); private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)"); private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)"); private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)"); private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
@ -131,7 +131,7 @@ public final class HTMLFilter
vAllowedEntities = new String[] { "amp", "gt", "lt", "quot" }; vAllowedEntities = new String[] { "amp", "gt", "lt", "quot" };
stripComment = true; stripComment = true;
encodeQuotes = true; encodeQuotes = true;
alwaysMakeTags = true; alwaysMakeTags = false;
} }
/** /**
@ -246,7 +246,7 @@ public final class HTMLFilter
// //
s = regexReplace(P_END_ARROW, "", s); s = regexReplace(P_END_ARROW, "", s);
// 不追加结束标签 // 不追加结束标签
// s = regexReplace(P_BODY_TO_END, "<$1>", s); s = regexReplace(P_BODY_TO_END, "<$1>", s);
s = regexReplace(P_XML_CONTENT, "$1<$2", s); s = regexReplace(P_XML_CONTENT, "$1<$2", s);
} }

View File

@ -59,7 +59,6 @@
{ {
field: 'tableName', field: 'tableName',
title: '表名称', title: '表名称',
width: '20%',
sortable: true, sortable: true,
formatter: function(value, row, index) { formatter: function(value, row, index) {
return $.table.tooltip(value); return $.table.tooltip(value);
@ -68,7 +67,6 @@
{ {
field: 'tableComment', field: 'tableComment',
title: '表描述', title: '表描述',
width: '20%',
sortable: true, sortable: true,
formatter: function(value, row, index) { formatter: function(value, row, index) {
return $.table.tooltip(value); return $.table.tooltip(value);
@ -77,13 +75,11 @@
{ {
field: 'createTime', field: 'createTime',
title: '创建时间', title: '创建时间',
width: '20%',
sortable: true sortable: true
}, },
{ {
field: 'updateTime', field: 'updateTime',
title: '更新时间', title: '更新时间',
width: '20%',
sortable: true sortable: true
}] }]
}; };