Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
智布道
OneBlog
比较版本
1b2bd1a271656e59d370289d6597baf2c8919087...0b3614e1622c955436d98dbb54b1890e7b4b4972
O
OneBlog
项目概览
智布道
/
OneBlog
8 个月 前同步成功
通知
11
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
OneBlog
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
源分支
0b3614e1622c955436d98dbb54b1890e7b4b4972
选择Git版本
...
目标分支
1b2bd1a271656e59d370289d6597baf2c8919087
选择Git版本
比较
Commits (3)
https://gitcode.net/u011197448/oneblog/-/commit/94806f5fe9078a9c41f2a7c5bf318ebcf290d65d
解决 github issue [#19]
2021-08-07T10:30:42+08:00
yadong.zhang
yadong.zhang0415@gmail.com
https://gitcode.net/u011197448/oneblog/-/commit/6caba5babb4c1763d78502c062a4860b7414f36b
修复部分 XSS
2021-08-07T10:44:58+08:00
yadong.zhang
yadong.zhang0415@gmail.com
https://gitcode.net/u011197448/oneblog/-/commit/0b3614e1622c955436d98dbb54b1890e7b4b4972
@override
2021-08-07T11:01:41+08:00
yadong.zhang
yadong.zhang0415@gmail.com
隐藏空白更改
内联
并排
Showing
7 changed file
with
53 addition
and
6 deletion
+53
-6
blog-admin/src/main/java/com/zyd/blog/controller/RestLinkController.java
...main/java/com/zyd/blog/controller/RestLinkController.java
+8
-0
blog-admin/src/main/java/com/zyd/blog/core/shiro/ShiroServiceImpl.java
...c/main/java/com/zyd/blog/core/shiro/ShiroServiceImpl.java
+3
-0
blog-core/src/main/java/com/zyd/blog/business/service/impl/BizCommentServiceImpl.java
...zyd/blog/business/service/impl/BizCommentServiceImpl.java
+8
-1
blog-core/src/main/java/com/zyd/blog/business/service/impl/SysLinkServiceImpl.java
...om/zyd/blog/business/service/impl/SysLinkServiceImpl.java
+7
-0
blog-core/src/main/java/com/zyd/blog/util/HtmlUtil.java
blog-core/src/main/java/com/zyd/blog/util/HtmlUtil.java
+1
-0
blog-core/src/main/java/com/zyd/blog/util/IpUtil.java
blog-core/src/main/java/com/zyd/blog/util/IpUtil.java
+2
-1
blog-core/src/main/java/com/zyd/blog/util/RegexUtils.java
blog-core/src/main/java/com/zyd/blog/util/RegexUtils.java
+24
-4
未找到文件。
blog-admin/src/main/java/com/zyd/blog/controller/RestLinkController.java
浏览文件 @
0b3614e1
...
...
@@ -9,8 +9,10 @@ import com.zyd.blog.business.enums.TemplateKeyEnum;
import
com.zyd.blog.business.service.MailService
;
import
com.zyd.blog.business.service.SysLinkService
;
import
com.zyd.blog.business.vo.LinkConditionVO
;
import
com.zyd.blog.framework.exception.ZhydLinkException
;
import
com.zyd.blog.framework.object.PageResult
;
import
com.zyd.blog.framework.object.ResponseVO
;
import
com.zyd.blog.util.RegexUtils
;
import
com.zyd.blog.util.ResultUtil
;
import
org.apache.shiro.authz.annotation.Logical
;
import
org.apache.shiro.authz.annotation.RequiresPermissions
;
...
...
@@ -49,6 +51,9 @@ public class RestLinkController {
@BussinessLog
(
"添加友情链接"
)
public
ResponseVO
add
(
Link
link
)
{
link
.
setSource
(
LinkSourceEnum
.
ADMIN
);
if
(!
RegexUtils
.
isUrl
(
link
.
getUrl
()))
{
throw
new
ZhydLinkException
(
"链接地址无效!"
);
}
linkService
.
insert
(
link
);
mailService
.
send
(
link
,
TemplateKeyEnum
.
TM_LINKS
);
return
ResultUtil
.
success
(
"成功"
);
...
...
@@ -78,6 +83,9 @@ public class RestLinkController {
@PostMapping
(
"/edit"
)
@BussinessLog
(
"编辑友情链接"
)
public
ResponseVO
edit
(
Link
link
)
{
if
(!
RegexUtils
.
isUrl
(
link
.
getUrl
()))
{
throw
new
ZhydLinkException
(
"链接地址无效!"
);
}
try
{
linkService
.
updateSelective
(
link
);
}
catch
(
Exception
e
)
{
...
...
blog-admin/src/main/java/com/zyd/blog/core/shiro/ShiroServiceImpl.java
浏览文件 @
0b3614e1
...
...
@@ -46,6 +46,7 @@ public class ShiroServiceImpl implements ShiroService {
/**
* 初始化权限
*/
@Override
public
Map
<
String
,
String
>
loadFilterChainDefinitions
()
{
/*
配置访问权限
...
...
@@ -84,6 +85,7 @@ public class ShiroServiceImpl implements ShiroService {
/**
* 重新加载权限
*/
@Override
public
void
updatePermission
()
{
ShiroFilterFactoryBean
shirFilter
=
SpringContextHolder
.
getBean
(
ShiroFilterFactoryBean
.
class
);
synchronized
(
shirFilter
)
{
...
...
@@ -136,6 +138,7 @@ public class ShiroServiceImpl implements ShiroService {
*
* @param roleId
*/
@Override
public
void
reloadAuthorizingByRoleId
(
Long
roleId
)
{
List
<
User
>
userList
=
userService
.
listByRoleId
(
roleId
);
if
(
CollectionUtils
.
isEmpty
(
userList
))
{
...
...
blog-core/src/main/java/com/zyd/blog/business/service/impl/BizCommentServiceImpl.java
浏览文件 @
0b3614e1
...
...
@@ -205,8 +205,15 @@ public class BizCommentServiceImpl implements BizCommentService {
if
(
StringUtils
.
isEmpty
(
content
)
||
"\n"
.
equals
(
content
))
{
throw
new
ZhydCommentException
(
"说点什么吧"
);
}
String
url
=
comment
.
getUrl
();
String
avatar
=
comment
.
getAvatar
();
if
((!
StringUtils
.
isEmpty
(
avatar
)
&&
!
RegexUtils
.
isUrl
(
avatar
))
||
(!
StringUtils
.
isEmpty
(
url
)
&&
!
RegexUtils
.
isUrl
(
url
)))
{
throw
new
ZhydCommentException
(
"链接地址不正确"
);
}
// 过滤非法属性和无用的空标签
if
(!
XssKillerUtil
.
isValid
(
content
)
||
!
XssKillerUtil
.
isValid
(
comment
.
getAvatar
()))
{
if
(!
XssKillerUtil
.
isValid
(
content
)
||
!
XssKillerUtil
.
isValid
(
comment
.
getAvatar
())
||
!
XssKillerUtil
.
isValid
(
comment
.
getUrl
())
||
!
XssKillerUtil
.
isValid
(
comment
.
getNickname
())
||
!
XssKillerUtil
.
isValid
(
comment
.
getQq
())
||
!
XssKillerUtil
.
isValid
(
comment
.
getEmail
()))
{
throw
new
ZhydCommentException
(
"请不要使用特殊标签"
);
}
content
=
XssKillerUtil
.
clean
(
content
.
trim
()).
replaceAll
(
"(<p><br></p>)|(<p></p>)"
,
""
);
...
...
blog-core/src/main/java/com/zyd/blog/business/service/impl/SysLinkServiceImpl.java
浏览文件 @
0b3614e1
...
...
@@ -16,6 +16,7 @@ import com.zyd.blog.framework.exception.ZhydLinkException;
import
com.zyd.blog.persistence.beans.SysLink
;
import
com.zyd.blog.persistence.mapper.SysLinkMapper
;
import
com.zyd.blog.util.HtmlUtil
;
import
com.zyd.blog.util.RegexUtils
;
import
lombok.extern.slf4j.Slf4j
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.stereotype.Service
;
...
...
@@ -136,6 +137,12 @@ public class SysLinkServiceImpl implements SysLinkService {
@RedisCache
(
flush
=
true
)
public
boolean
autoLink
(
Link
link
)
throws
ZhydLinkException
{
String
url
=
link
.
getUrl
();
if
(
StringUtils
.
isEmpty
(
url
))
{
throw
new
ZhydLinkException
(
"链接地址为空!"
);
}
if
(!
RegexUtils
.
isUrl
(
url
))
{
throw
new
ZhydLinkException
(
"链接地址无效!"
);
}
Link
bo
=
getOneByUrl
(
url
);
if
(
bo
!=
null
)
{
throw
new
ZhydLinkException
(
"本站已经添加过贵站的链接!"
);
...
...
blog-core/src/main/java/com/zyd/blog/util/HtmlUtil.java
浏览文件 @
0b3614e1
...
...
@@ -51,6 +51,7 @@ public class HtmlUtil {
.
replaceAll
(
"'"
,
"\'"
)
.
replaceAll
(
"<"
,
"<"
)
.
replaceAll
(
">"
,
">"
)
.
replaceAll
(
"javascript:"
,
""
)
.
replaceAll
(
"[ \\f\\t\\v]{2,}"
,
"\t"
);
String
regEx
=
"<.+?>"
;
...
...
blog-core/src/main/java/com/zyd/blog/util/IpUtil.java
浏览文件 @
0b3614e1
...
...
@@ -36,6 +36,7 @@ public class IpUtil {
* @return
*/
private
static
boolean
checkIp
(
String
ip
)
{
return
!
StringUtils
.
isEmpty
(
ip
)
&&
!
"unknown"
.
equalsIgnoreCase
(
ip
);
return
!
StringUtils
.
isEmpty
(
ip
)
&&
!
"unknown"
.
equalsIgnoreCase
(
ip
)
&&
RegexUtils
.
isIp
(
ip
)
;
}
}
blog-core/src/main/java/com/zyd/blog/util/RegexUtils.java
浏览文件 @
0b3614e1
package
com.zyd.blog.util
;
import
org.springframework.util.StringUtils
;
import
java.util.LinkedList
;
import
java.util.List
;
import
java.util.regex.Matcher
;
...
...
@@ -17,10 +19,8 @@ import java.util.regex.Pattern;
public
class
RegexUtils
{
/**
* @param regex
* 正则表达式字符串
* @param str
* 要匹配的字符串
* @param regex 正则表达式字符串
* @param str 要匹配的字符串
* @return 如果str 符合 regex的正则表达式格式,返回true, 否则返回 false;
*/
public
static
List
<
String
>
match
(
String
str
,
String
regex
)
{
...
...
@@ -44,5 +44,25 @@ public class RegexUtils {
Matcher
matcher
=
pattern
.
matcher
(
str
);
return
matcher
.
find
();
}
public
static
boolean
isUrl
(
String
url
)
{
if
(
StringUtils
.
isEmpty
(
url
))
{
return
false
;
}
String
regex
=
"^((ht|f)tps?):\\/\\/([\\w\\-]+(\\.[\\w\\-]+)*\\/)*[\\w\\-]+(\\.[\\w\\-]+)*\\/?(\\?([\\w\\-\\.,@?^=%&:\\/~\\+#]*)+)?"
;
if
(!
StringUtils
.
isEmpty
(
url
)
&&
!
url
.
toLowerCase
().
startsWith
(
"http://"
)
&&
!
url
.
toLowerCase
().
startsWith
(
"https://"
))
{
return
false
;
}
return
RegexUtils
.
checkByRegex
(
url
,
regex
);
}
public
static
boolean
isIp
(
String
ip
)
{
if
(
StringUtils
.
isEmpty
(
ip
))
{
return
false
;
}
String
regex
=
"^\\s*(((([0-9A-Fa-f]{1,4}:){7}(([0-9A-Fa-f]{1,4})|:))|(([0-9A-Fa-f]{1,4}:){6}(:|((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})|(:[0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){5}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){4}(:[0-9A-Fa-f]{1,4}){0,1}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){3}(:[0-9A-Fa-f]{1,4}){0,2}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:){2}(:[0-9A-Fa-f]{1,4}){0,3}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(([0-9A-Fa-f]{1,4}:)(:[0-9A-Fa-f]{1,4}){0,4}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(:(:[0-9A-Fa-f]{1,4}){0,5}((:((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})?)|((:[0-9A-Fa-f]{1,4}){1,2})))|(((25[0-5]|2[0-4]\\d|[01]?\\d{1,2})(\\.(25[0-5]|2[0-4]\\d|[01]?\\d{1,2})){3})))\\;?\\s*)*$"
;
return
RegexUtils
.
checkByRegex
(
ip
,
regex
);
}
}