渗透测试漏洞修复

2025-11-26 15:57:21 +08:00 · 2025-11-26 15:57:21 +08:00 · ff19105298
parent 388012656c
commit ff19105298
2 changed files with 15 additions and 2 deletions
--- a/gateway/src/main/java/com/bonus/gateway/filter/XssFilter.java
+++ b/gateway/src/main/java/com/bonus/gateway/filter/XssFilter.java
@ -82,13 +82,17 @@ public class XssFilter implements GlobalFilter, Ordered
                    DataBufferUtils.release(join);
                    String bodyStr = new String(content, StandardCharsets.UTF_8);
                    try {
-                        bodyStr = java.net.URLDecoder.decode(bodyStr, StandardCharsets.UTF_8.name());
+                        if (bodyStr.contains("username") || bodyStr.contains("password")){
                        }else {
                            bodyStr = java.net.URLDecoder.decode(bodyStr, StandardCharsets.UTF_8.name());
                        }
                    } catch (UnsupportedEncodingException e) {
                        throw new RuntimeException(e);
                    }
                    // 防xss攻击过滤
                    bodyStr = EscapeUtil.clean(bodyStr);
-                    bodyStr = XssFilterUtil.filterSpecialChars(bodyStr);
+                   /* bodyStr = XssFilterUtil.filterSpecialChars(bodyStr);*/
                    // 转成字节
                    byte[] bytes = bodyStr.getBytes();
                    NettyDataBufferFactory nettyDataBufferFactory = new NettyDataBufferFactory(ByteBufAllocator.DEFAULT);
--- a/modules/bmw/src/main/resources/static/login.html
+++ b/modules/bmw/src/main/resources/static/login.html
@ -24,6 +24,7 @@
            <div class="title"></div>
            <div id="pwdDiv">
                <input id="password" name="password" type="password" placeholder="密码"/>
                <p style="font-size: 12px; color: red; margin: 0;">密码中必须包含【大小字母】、【数字】、【特殊字符】</p>
            </div>
        </div>
        <div class="common-box  codeDiv">
@ -111,6 +112,14 @@
            $("#info").html('手机号或者密码或者验证码不能为空');
            $(obj).attr("disabled", false);
        } else {
            //验证密码强度
            var res = checkPwd(password);
            if (!res) {
                var msg = "您的密码复杂度太低！密码中必须包含【大小字母】、【数字】、【特殊字符】";
                alert(msg);
                //密码强度符合规则
                location.href = ctxPath + '/login.html';
            }
            $.ajax({
                type: 'post',
                contentType: "application/json; charset=utf-8",