tokens= request.getQueryParams();
+ token = request.getHeaders().getFirst(TokenConstants.TOKEN_HEAD);
+ if(tokens.get(hed)!=null && !tokens.get(hed).isEmpty()){
+ token =tokens.get("token").get(0);
+ if(nl.equals(token)){
+ token=null;
+ }
+ }
+ }
return token;
}
diff --git a/gateway/src/main/java/com/bonus/gateway/xss/CacheBodyGlobalFilter.java b/gateway/src/main/java/com/bonus/gateway/xss/CacheBodyGlobalFilter.java
new file mode 100644
index 0000000..89c48ea
--- /dev/null
+++ b/gateway/src/main/java/com/bonus/gateway/xss/CacheBodyGlobalFilter.java
@@ -0,0 +1,61 @@
+package com.bonus.gateway.xss;
+
+
+import org.springframework.cloud.gateway.filter.GatewayFilterChain;
+import org.springframework.cloud.gateway.filter.GlobalFilter;
+import org.springframework.core.Ordered;
+import org.springframework.core.io.buffer.DataBuffer;
+import org.springframework.core.io.buffer.DataBufferUtils;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
+import org.springframework.stereotype.Component;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+/**
+ * @Author:
+ * @Description: 这个过滤器解决body不能重复读的问题,为后续的XssRequestGlobalFilter重写post|put请求的body做准备
+ * @Date:
+ *
+ * 没把body的内容放到attribute中去,因为从attribute取出body内容还是需要强转成 Flux,然后转换成String,和直接读取body没有什么区别
+ */
+@Component
+public class CacheBodyGlobalFilter implements Ordered, GlobalFilter {
+ @Override
+ public Mono filter(ServerWebExchange exchange, GatewayFilterChain chain) {
+ HttpMethod method = exchange.getRequest().getMethod();
+ String contentType = exchange.getRequest().getHeaders().getFirst(HttpHeaders.CONTENT_TYPE);
+ if (method == HttpMethod.POST || method == HttpMethod.PUT) {
+ if (MediaType.APPLICATION_FORM_URLENCODED_VALUE.equalsIgnoreCase(contentType)
+ || MediaType.APPLICATION_JSON_VALUE.equalsIgnoreCase(contentType)
+ || MediaType.APPLICATION_JSON_UTF8_VALUE.equals(contentType)) {
+ return DataBufferUtils.join(exchange.getRequest().getBody())
+ .flatMap(dataBuffer -> {
+ DataBufferUtils.retain(dataBuffer);
+ Flux cachedFlux = Flux
+ .defer(() -> Flux.just(dataBuffer.slice(0, dataBuffer.readableByteCount())));
+ ServerHttpRequest mutatedRequest = new ServerHttpRequestDecorator(
+ exchange.getRequest()) {
+ @Override
+ public Flux getBody() {
+ return cachedFlux;
+ }
+ };
+ return chain.filter(exchange.mutate().request(mutatedRequest).build());
+ });
+ }
+
+ }
+ return chain.filter(exchange);
+ }
+
+ @Override
+ public int getOrder() {
+ return Ordered.HIGHEST_PRECEDENCE;
+ }
+}
+
diff --git a/gateway/src/main/java/com/bonus/gateway/xss/XssCleanRuleUtils.java b/gateway/src/main/java/com/bonus/gateway/xss/XssCleanRuleUtils.java
new file mode 100644
index 0000000..f785769
--- /dev/null
+++ b/gateway/src/main/java/com/bonus/gateway/xss/XssCleanRuleUtils.java
@@ -0,0 +1,124 @@
+package com.bonus.gateway.xss;
+
+
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.JSONArray;
+import com.alibaba.fastjson.JSONObject;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.safety.Whitelist;
+import org.springframework.core.io.ClassPathResource;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Iterator;
+import java.util.regex.Pattern;
+
+/**
+ * @Author:
+ * @Description: xss过滤工具
+ * @Date:
+ */
+public class XssCleanRuleUtils {
+
+ //xss过滤规则(对于script、src及加载事件和弹窗事件的代码块)
+ private final static Pattern[] scriptPatterns = {
+ Pattern.compile("", Pattern.CASE_INSENSITIVE),
+ Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+ Pattern.compile("", Pattern.CASE_INSENSITIVE),
+ Pattern.compile("", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+ Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+ Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+ Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
+ Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
+ Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)
+ };
+
+ //非富文本的
+ public static String xssClean(String value) {
+ if (value != null) {
+ value = value.replaceAll("\0|\n|\r", "");
+ for (Pattern pattern : scriptPatterns) {
+ value = pattern.matcher(value).replaceAll("");
+ }
+ value = value.replaceAll("<", "<").replaceAll(">", ">");
+ }
+ return value;
+
+ }
+
+ //富文本的
+ public static String xssClean2(String value) {
+ if (value != null) {
+ value = value.replaceAll("\0|\n|\r", "");
+ for (Pattern pattern : scriptPatterns) {
+ value = pattern.matcher(value).replaceAll("");
+ }
+ }
+ return value;
+ }
+
+
+
+ //自定义的json白名单
+ private static final ClassPathResource jsoupWhiteListPathRes = new ClassPathResource("/json/xssWhiteList.json");
+ //配置过滤化参数, 不对代码进行格式化
+ private static final Document.OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);
+ //富文本的(使用了Jsoup)
+ public static String xssRichTextClean(String value) {
+ // 创建一个自定义的白名单,基于Jsoup的默认白名单
+ Whitelist customWhitelist = Whitelist.basic();
+ InputStream whiteConfig = null;
+ try {
+ whiteConfig = jsoupWhiteListPathRes.getInputStream();
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ if (whiteConfig == null) {
+ throw new RuntimeException("读取jsoup xss 白名单文件失败");
+ } else {
+ try {
+ JSONObject whiteListJson = JSON.parseObject(whiteConfig, JSONObject.class);
+
+ //添加标签 addTags
+ JSONArray addTagsJsonArr = whiteListJson.getJSONArray("addTags");
+ String[] addTagsArr = addTagsJsonArr.toArray(new String[0]);
+ customWhitelist.addTags(addTagsArr);
+
+
+ //添加属性 addAttributes
+ JSONArray addAttrJsonArr = whiteListJson.getJSONArray("addAttributes");
+ Iterator