update 优化 xss包装器 Parameter 处理兼容某些容器不允许改参数的情况

2 months ago · 87feefe5f8
parent ab828a2579
commit 87feefe5f8
1 changed files with 24 additions and 15 deletions
--- a/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java
+++ b/ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssHttpServletRequestWrapper.java
@ -1,6 +1,8 @@
 package org.dromara.common.web.filter;

 import cn.hutool.core.io.IoUtil;
+import cn.hutool.core.map.MapUtil;
+import cn.hutool.core.util.ArrayUtil;
 import cn.hutool.core.util.StrUtil;
 import cn.hutool.http.HtmlUtil;
 import jakarta.servlet.ReadListener;
@ -14,6 +16,7 @@ import org.springframework.http.MediaType;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
 import java.util.Map;

 /**
@ -32,16 +35,22 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    @Override
    public String getParameter(String name) {
        String value = super.getParameter(name);
-        if (value != null) {
-            return HtmlUtil.cleanHtmlTag(value).trim();
+        if (value == null) {
+            return null;
        }
-        return value;
+        return HtmlUtil.cleanHtmlTag(value).trim();
    }

    @Override
    public Map<String, String[]> getParameterMap() {
        Map<String, String[]> valueMap = super.getParameterMap();
-        for (Map.Entry<String, String[]> entry : valueMap.entrySet()) {
+        if (MapUtil.isEmpty(valueMap)) {
+            return valueMap;
+        }
+        // 避免某些容器不允许改参数的情况 copy一份重新改
+        Map<String, String[]> map = new HashMap<>(valueMap.size());
+        map.putAll(valueMap);
+        for (Map.Entry<String, String[]> entry : map.entrySet()) {
            String[] values = entry.getValue();
            if (values != null) {
                int length = values.length;
@ -50,25 +59,25 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
                    // 防xss攻击和过滤前后空格
                    escapseValues[i] = HtmlUtil.cleanHtmlTag(values[i]).trim();
                }
-                valueMap.put(entry.getKey(), escapseValues);
+                map.put(entry.getKey(), escapseValues);
            }
        }
-        return valueMap;
+        return map;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] values = super.getParameterValues(name);
-        if (values != null) {
-            int length = values.length;
-            String[] escapseValues = new String[length];
-            for (int i = 0; i < length; i++) {
-                // 防xss攻击和过滤前后空格
-                escapseValues[i] = HtmlUtil.cleanHtmlTag(values[i]).trim();
-            }
-            return escapseValues;
+        if (ArrayUtil.isEmpty(values)) {
+            return values;
+        }
+        int length = values.length;
+        String[] escapseValues = new String[length];
+        for (int i = 0; i < length; i++) {
+            // 防xss攻击和过滤前后空格
+            escapseValues[i] = HtmlUtil.cleanHtmlTag(values[i]).trim();
        }
-        return values;
+        return escapseValues;
    }

    @Override