escaping of dangerous characters

e635ca86 · ale · kl · 8bd36e37 · e635ca86 · e635ca86
Commit e635ca86 authored Jan 15, 2021 by ale Committed by kl Jan 22, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

pom.xml server/pom.xml +5 -0

FileController.java ...rc/main/java/cn/keking/web/controller/FileController.java +4 -0

No files found.
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -62,6 +62,11 @@
            <artifactId>commons-lang3</artifactId>
            <version>3.7</version>
        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.9</version>
+        </dependency>
        <!-- REDISSON -->
        <dependency>
            <groupId>org.redisson</groupId>

--- a/server/src/main/java/cn/keking/web/controller/FileController.java
+++ b/server/src/main/java/cn/keking/web/controller/FileController.java
@@ -16,6 +16,7 @@ import org.springframework.web.multipart.MultipartFile;

 import java.io.*;
 import java.util.*;
+import org.apache.commons.text.StringEscapeUtils;

 /**
 *
@@ -36,6 +37,9 @@ public class FileController {
        // 获取文件名
        String fileName = file.getOriginalFilename();
        //判断是否为IE浏览器的文件名，IE浏览器下文件名会带有盘符信息
+        
+        // escaping dangerous characters to prevent XSS
+        fileName = StringEscapeUtils.escapeHtml4(fileName);
        // Check for Unix-style path
        int unixSep = fileName.lastIndexOf('/');
        // Check for Windows-style path