非法值校验

2025-09-30 09:32:26 +08:00 · 2025-09-30 09:32:26 +08:00 · 9629141734
parent 677d735889
commit 9629141734
3 changed files with 3 additions and 1 deletions
--- a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
+++ b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
@ -22,7 +22,7 @@ public class SafeUtil {

    // 危险字符和编码
    public final static String DANGEROUS_CHARS =
-            "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|!|\\$|;|\\||/)" +
+            "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|%|!|\\$|;|\\||/)" +
                    "|(%3[cdef]|%2[bf2789]|%5[bd]|%3b|%28|%29)" +
                    "|(\\\\x3[cdef]|\\\\x2[bf27])" +
                    "|(data:text/html|base64|document\\.|window\\.|location\\.|cookie)";
--- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
+++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
@ -72,6 +72,7 @@ public class XssCheck {
        // 其他特殊字符
        XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
        XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
+        XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %

        // 十六进制编码
        XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制
--- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
+++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
@ -76,6 +76,7 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
        // 其他特殊字符
        XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
        XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
+        XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %

        // 十六进制编码
        XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制