From 5e8f3a9b6eaba8de6248fbfae82446947929187d Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: Wed, 5 Feb 2020 18:05:08 +0800
Subject: [PATCH] README

---
 README.md                                                    | 2 +-
 .../main/java/com/ruoyi/common/utils/html/EscapeUtil.java    | 2 ++
 .../main/java/com/ruoyi/common/utils/html/HTMLFilter.java    | 5 +++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 6943f639..23701820 100644
--- a/README.md
+++ b/README.md
@@ -80,7 +80,7 @@
     </tr>
 	<tr>
         <td><img src="https://oscimg.oschina.net/oscnet/bed2b98a44e7ae820c2885329e711965c28.jpg"/></td>
-        <td><img src="https://oscimg.oschina.net/oscnet/5f3d39a141f21f81b90536f391b8408f1fa.jpg"/></td>
+        <td><img src="https://oscimg.oschina.net/oscnet/up-6d73c2140ce694e3de4c05035fdc1868d4c.png"/></td>
     </tr>
 </table>
 
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java
index 62b4b18f..5a4cf0c8 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java
@@ -145,6 +145,8 @@ public class EscapeUtil
     public static void main(String[] args)
     {
         String html = "<script>alert(1);</script>";
+        // String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>";
+        // String html = "<123";
         System.out.println(EscapeUtil.clean(html));
         System.out.println(EscapeUtil.escape(html));
         System.out.println(EscapeUtil.unescape(html));
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java
index 6244cd57..7c504585 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java
@@ -35,7 +35,7 @@ public final class HTMLFilter
     private static final Pattern P_VALID_ENTITIES = Pattern.compile("&([^&;]*)(?=(;|&|$))");
     private static final Pattern P_VALID_QUOTES = Pattern.compile("(>|^)([^<]+?)(<|$)", Pattern.DOTALL);
     private static final Pattern P_END_ARROW = Pattern.compile("^>");
-    private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
+    // private static final Pattern P_BODY_TO_END = Pattern.compile("<([^>]*?)(?=<|$)");
     private static final Pattern P_XML_CONTENT = Pattern.compile("(^|>)([^<]*?)(?=>)");
     private static final Pattern P_STRAY_LEFT_ARROW = Pattern.compile("<([^>]*?)(?=<|$)");
     private static final Pattern P_STRAY_RIGHT_ARROW = Pattern.compile("(^|>)([^<]*?)(?=>)");
@@ -245,7 +245,8 @@ public final class HTMLFilter
             // try and form html
             //
             s = regexReplace(P_END_ARROW, "", s);
-            s = regexReplace(P_BODY_TO_END, "<$1>", s);
+            // 不追加结束标签
+            // s = regexReplace(P_BODY_TO_END, "<$1>", s);
             s = regexReplace(P_XML_CONTENT, "$1<$2", s);
 
         }