|
|
@@ -1,6 +1,8 @@
|
|
|
package com.xjrsoft.common.xss;
|
|
|
|
|
|
import cn.hutool.core.collection.ListUtil;
|
|
|
+import cn.hutool.core.util.StrUtil;
|
|
|
+import org.apache.catalina.connector.RequestFacade;
|
|
|
import org.apache.commons.io.IOUtils;
|
|
|
import org.apache.commons.lang.StringUtils;
|
|
|
import org.springframework.http.HttpHeaders;
|
|
|
@@ -29,19 +31,30 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
|
|
|
*/
|
|
|
HttpServletRequest orgRequest;
|
|
|
|
|
|
- private final List<String> ignoreXssUrl = ListUtil.toList("/magic-api/**","/magic/web/**");
|
|
|
+ public static final String HTTP_METHOD_OVERRIDE = "x-http-method-override";
|
|
|
+
|
|
|
+ private String method;
|
|
|
+
|
|
|
+ private final List<String> ignoreXssUrl = ListUtil.toList("/magic-api/**", "/magic/web/**");
|
|
|
//html过滤
|
|
|
private final static HTMLFilter HTML_FILTER = new HTMLFilter();
|
|
|
|
|
|
public XssHttpServletRequestWrapper(HttpServletRequest request) {
|
|
|
super(request);
|
|
|
orgRequest = request;
|
|
|
+
|
|
|
+ // 判断请求方式是否需要转换
|
|
|
+ String methodOverride = this.getHeader(HTTP_METHOD_OVERRIDE);
|
|
|
+ this.method = request.getMethod();
|
|
|
+ if (StrUtil.isNotBlank(methodOverride) && (methodOverride.equals("PUT") || methodOverride.equals("DELETE"))) {
|
|
|
+ method = methodOverride;
|
|
|
+ }
|
|
|
}
|
|
|
|
|
|
@Override
|
|
|
public ServletInputStream getInputStream() throws IOException {
|
|
|
//非json类型,直接返回
|
|
|
- if(!MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(super.getHeader(HttpHeaders.CONTENT_TYPE))){
|
|
|
+ if (!MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(super.getHeader(HttpHeaders.CONTENT_TYPE))) {
|
|
|
return super.getInputStream();
|
|
|
}
|
|
|
|
|
|
@@ -52,7 +65,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
|
|
|
}
|
|
|
AntPathMatcher matcher = new AntPathMatcher();
|
|
|
|
|
|
- if(ignoreXssUrl.stream().noneMatch(url -> matcher.matchStart(url,orgRequest.getRequestURI()))){
|
|
|
+ if (ignoreXssUrl.stream().noneMatch(url -> matcher.matchStart(url, orgRequest.getRequestURI()))) {
|
|
|
//xss过滤 orgRequest.getRequestURI()
|
|
|
json = xssEncode(json);
|
|
|
}
|
|
|
@@ -103,9 +116,9 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
|
|
|
}
|
|
|
|
|
|
@Override
|
|
|
- public Map<String,String[]> getParameterMap() {
|
|
|
- Map<String,String[]> map = new LinkedHashMap<>();
|
|
|
- Map<String,String[]> parameters = super.getParameterMap();
|
|
|
+ public Map<String, String[]> getParameterMap() {
|
|
|
+ Map<String, String[]> map = new LinkedHashMap<>();
|
|
|
+ Map<String, String[]> parameters = super.getParameterMap();
|
|
|
for (String key : parameters.keySet()) {
|
|
|
String[] values = parameters.get(key);
|
|
|
for (int i = 0; i < values.length; i++) {
|
|
|
@@ -125,6 +138,11 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
|
|
|
return value;
|
|
|
}
|
|
|
|
|
|
+ @Override
|
|
|
+ public String getMethod() {
|
|
|
+ return method;
|
|
|
+ }
|
|
|
+
|
|
|
private String xssEncode(String input) {
|
|
|
return HTML_FILTER.filter(input);
|
|
|
}
|
fanxp