blog-admin/src/main/java/com/zyd/blog/controller/RestLinkController.java

@@ -9,8 +9,10 @@ import com.zyd.blog.business.enums.TemplateKeyEnum;
 import com.zyd.blog.business.service.MailService;
 import com.zyd.blog.business.service.SysLinkService;
 import com.zyd.blog.business.vo.LinkConditionVO;
+import com.zyd.blog.framework.exception.ZhydLinkException;
 import com.zyd.blog.framework.object.PageResult;
 import com.zyd.blog.framework.object.ResponseVO;
+import com.zyd.blog.util.RegexUtils;
 import com.zyd.blog.util.ResultUtil;
 import org.apache.shiro.authz.annotation.Logical;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
@@ -49,6 +51,9 @@ public class RestLinkController {
     @BussinessLog("添加友情链接")
     public ResponseVO add(Link link) {
         link.setSource(LinkSourceEnum.ADMIN);
+        if (!RegexUtils.isUrl(link.getUrl())) {
+            throw new ZhydLinkException("链接地址无效！");
+        }
         linkService.insert(link);
         mailService.send(link, TemplateKeyEnum.TM_LINKS);
         return ResultUtil.success("成功");
@@ -78,6 +83,9 @@ public class RestLinkController {
     @PostMapping("/edit")
     @BussinessLog("编辑友情链接")
     public ResponseVO edit(Link link) {
+        if (!RegexUtils.isUrl(link.getUrl())) {
+            throw new ZhydLinkException("链接地址无效！");
+        }
         try {
             linkService.updateSelective(link);
         } catch (Exception e) {

blog-admin/src/main/java/com/zyd/blog/core/shiro/ShiroServiceImpl.java

@@ -46,6 +46,7 @@ public class ShiroServiceImpl implements ShiroService {
     /**
      * 初始化权限
      */
+    @Override
     public Map<String, String> loadFilterChainDefinitions() {
         /*
             配置访问权限
@@ -84,6 +85,7 @@ public class ShiroServiceImpl implements ShiroService {
     /**
      * 重新加载权限
      */
+    @Override
     public void updatePermission() {
         ShiroFilterFactoryBean shirFilter = SpringContextHolder.getBean(ShiroFilterFactoryBean.class);
         synchronized (shirFilter) {
@@ -136,6 +138,7 @@ public class ShiroServiceImpl implements ShiroService {
      *
      * @param roleId
      */
+    @Override
     public void reloadAuthorizingByRoleId(Long roleId) {
         List<User> userList = userService.listByRoleId(roleId);
         if (CollectionUtils.isEmpty(userList)) {

blog-core/src/main/java/com/zyd/blog/business/service/impl/BizCommentServiceImpl.java

@@ -205,8 +205,15 @@ public class BizCommentServiceImpl implements BizCommentService {
         if (StringUtils.isEmpty(content) || "\n".equals(content)) {
             throw new ZhydCommentException("说点什么吧");
         }
+        String url = comment.getUrl();
+        String avatar = comment.getAvatar();
+        if ((!StringUtils.isEmpty(avatar) && !RegexUtils.isUrl(avatar)) || (!StringUtils.isEmpty(url) && !RegexUtils.isUrl(url))) {
+            throw new ZhydCommentException("链接地址不正确");
+        }
         // 过滤非法属性和无用的空标签
-        if (!XssKillerUtil.isValid(content) || !XssKillerUtil.isValid(comment.getAvatar())) {
+        if (!XssKillerUtil.isValid(content) || !XssKillerUtil.isValid(comment.getAvatar())
+                || !XssKillerUtil.isValid(comment.getUrl()) || !XssKillerUtil.isValid(comment.getNickname())
+                || !XssKillerUtil.isValid(comment.getQq()) || !XssKillerUtil.isValid(comment.getEmail())) {
             throw new ZhydCommentException("请不要使用特殊标签");
         }
         content = XssKillerUtil.clean(content.trim()).replaceAll("(<p><br></p>)|(<p></p>)", "");

blog-core/src/main/java/com/zyd/blog/business/service/impl/SysLinkServiceImpl.java

@@ -16,6 +16,7 @@ import com.zyd.blog.framework.exception.ZhydLinkException;
 import com.zyd.blog.persistence.beans.SysLink;
 import com.zyd.blog.persistence.mapper.SysLinkMapper;
 import com.zyd.blog.util.HtmlUtil;
+import com.zyd.blog.util.RegexUtils;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
@@ -136,6 +137,12 @@ public class SysLinkServiceImpl implements SysLinkService {
     @RedisCache(flush = true)
     public boolean autoLink(Link link) throws ZhydLinkException {
         String url = link.getUrl();
+        if(StringUtils.isEmpty(url)) {
+            throw new ZhydLinkException("链接地址为空！");
+        }
+        if(!RegexUtils.isUrl(url)) {
+            throw new ZhydLinkException("链接地址无效！");
+        }
         Link bo = getOneByUrl(url);
         if (bo != null) {
             throw new ZhydLinkException("本站已经添加过贵站的链接！");

blog-core/src/main/java/com/zyd/blog/util/HtmlUtil.java

@@ -51,6 +51,7 @@ public class HtmlUtil {
                 .replaceAll("'", "\'")
                 .replaceAll("&lt;", "<")
                 .replaceAll("&gt;", ">")
+                .replaceAll("javascript:", "")
                 .replaceAll("[ \\f\\t\\v]{2,}", "\t");
 
         String regEx = "<.+?>";

blog-core/src/main/java/com/zyd/blog/util/IpUtil.java

@@ -36,6 +36,7 @@ public class IpUtil {
      * @return
      */
     private static boolean checkIp(String ip) {
-        return !StringUtils.isEmpty(ip) && !"unknown".equalsIgnoreCase(ip);
+        return !StringUtils.isEmpty(ip) && !"unknown".equalsIgnoreCase(ip) && RegexUtils.isIp(ip);
     }
+
 }

blog-core/src/main/java/com/zyd/blog/util/RegexUtils.java

 package com.zyd.blog.util;
 
+import org.springframework.util.StringUtils;
+
 import java.util.LinkedList;
 import java.util.List;
 import java.util.regex.Matcher;
@@ -17,10 +19,8 @@ import java.util.regex.Pattern;
 public class RegexUtils {
 
     /**
-     * @param regex
-     *         正则表达式字符串
-     * @param str
-     *         要匹配的字符串
+     * @param regex 正则表达式字符串
+     * @param str   要匹配的字符串
      * @return 如果str 符合 regex的正则表达式格式,返回true, 否则返回 false;
      */
     public static List<String> match(String str, String regex) {
@@ -44,5 +44,25 @@ public class RegexUtils {
         Matcher matcher = pattern.matcher(str);
         return matcher.find();
     }
+
+    public static boolean isUrl(String url) {
+        if (StringUtils.isEmpty(url)) {
+            return false;
+        }
+        String regex = "^((ht|f)tps?):\\/\\/([\\w\\-]+(\\.[\\w\\-]+)*\\/)*[\\w\\-]+(\\.[\\w\\-]+)*\\/?(\\?([\\w\\-\\.,@?^=%&:\\/~\\+#]*)+)?";
+
+        if (!StringUtils.isEmpty(url) && !url.toLowerCase().startsWith("http://") && !url.toLowerCase().startsWith("https://")) {
+            return false;
+        }
+        return RegexUtils.checkByRegex(url, regex);
+    }
+
+    public static boolean isIp(String ip) {
+        if (StringUtils.isEmpty(ip)) {
+            return false;
+        }
+        String regex = "^\\s*(((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})))\\;?\\s*)*$";
+        return RegexUtils.checkByRegex(ip, regex);
+    }
 }