From 1b269d95c484f57d04e7bcd01637d70d79f8d272 Mon Sep 17 00:00:00 2001
From: syruan <321359594@qq.com>
Date: Tue, 20 Aug 2024 19:14:42 +0800
Subject: [PATCH] =?UTF-8?q?XSS=E8=BF=87=E6=BB=A4=E5=99=A8=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98=E8=A7=A3=E5=86=B3=EF=BC=8CgerReader=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../interceptor/ParamSecureHandler.java       |  8 +++---
 .../interceptor/XssRequestWrapper.java        | 26 ++++++++-----------
 2 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/ParamSecureHandler.java b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/ParamSecureHandler.java
index b82af31..d4b9d51 100644
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/ParamSecureHandler.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/ParamSecureHandler.java
@@ -232,10 +232,10 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor {
      * @param requestUrl
      */
     private boolean checkReader(String readerParam, String requestUrl) {
-        if (SafeUtil.checkScript(readerParam)) {
-            log.info("请求失败,当前请求参数不安全!请求地址：\n" + requestUrl + "\n不安全参数：数据流:" + readerParam);
-            return false;
-        }
+//        if (SafeUtil.checkScript(readerParam)) {
+//            log.info("请求失败,当前请求参数不安全!请求地址：\n" + requestUrl + "\n不安全参数：数据流:" + readerParam);
+//            return false;
+//        }
         return true;
     }
 
diff --git a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/XssRequestWrapper.java b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/XssRequestWrapper.java
index eaac793..f5638d4 100644
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/XssRequestWrapper.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/XssRequestWrapper.java
@@ -36,21 +36,17 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
         super(request);
         getParameterMap();
         BufferedReader reader;
-        try {
-            reader = request.getReader();
-            StringBuilder sb = new StringBuilder();
-            char[] buf = new char[1024];
-            int rd;
-            while ((rd = reader.read(buf)) != -1) {
-                sb.append(buf, 0, rd);
-            }
-            reader.close();
-            streamParam = xssClean(sb.toString());
-            setChecked(xssCleanNew(sb.toString()) && xssCleanNew(request.getQueryString()));
-            body = streamParam.getBytes();
-        } catch (IOException e) {
-            log.error(e.getLocalizedMessage(),e);
-        }
+        //            reader = request.getReader();
+        StringBuilder sb = new StringBuilder();
+        char[] buf = new char[1024];
+        int rd;
+//            while ((rd = reader.read(buf)) != -1) {
+//                sb.append(buf, 0, rd);
+//            }
+//            reader.close();
+        streamParam = xssClean(sb.toString());
+        setChecked(xssCleanNew(sb.toString()) && xssCleanNew(request.getQueryString()));
+        body = streamParam.getBytes();
 
         queryString = xssClean(request.getQueryString());