🐛 修复登录入口的xss漏洞。

2018-05-31 13:43:03 +08:00 · 2018-05-31 13:43:03 +08:00 · d4ae4614b6
parent a1e7d80cc8
commit d4ae4614b6
1 changed files with 2 additions and 1 deletions
--- a/src/main/java/cc/ryanc/halo/web/controller/admin/AdminController.java
+++ b/src/main/java/cc/ryanc/halo/web/controller/admin/AdminController.java
@ -14,6 +14,7 @@ import cc.ryanc.halo.utils.HaloUtils;
 import cc.ryanc.halo.web.controller.core.BaseController;
 import cn.hutool.core.lang.Validator;
 import cn.hutool.crypto.SecureUtil;
+import cn.hutool.http.HtmlUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@ -145,7 +146,7 @@ public class AdminController extends BaseController {
                userService.updateUserLoginEnable("false");
            }
            userService.updateUserLoginLast(new Date());
-            logsService.saveByLogs(new Logs(LogsRecord.LOGIN, LogsRecord.LOGIN_ERROR + "[" + loginName + "," + loginPwd + "]", HaloUtils.getIpAddr(request), new Date()));
+            logsService.saveByLogs(new Logs(LogsRecord.LOGIN, LogsRecord.LOGIN_ERROR + "[" + HtmlUtil.encode(loginName) + "," + HtmlUtil.encode(loginPwd) + "]", HaloUtils.getIpAddr(request), new Date()));
            log.error("登录失败！：{0}", e.getMessage());
        }
        return status;