移除 Apache-common-text 包，采用 spring 内置的 HtmlUtils 处理 xss 问题

50dd7c1b · chenkailing · 2dd06717 · 50dd7c1b · 50dd7c1b
Commit 50dd7c1b authored Jan 23, 2021 by chenkailing
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 7 deletions

pom.xml server/pom.xml +0 -5

FileController.java ...rc/main/java/cn/keking/web/controller/FileController.java +4 -2

No files found.
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -62,11 +62,6 @@
            <artifactId>commons-lang3</artifactId>
            <version>3.7</version>
        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <version>1.9</version>
-        </dependency>
        <!-- REDISSON -->
        <dependency>
            <groupId>org.redisson</groupId>

--- a/server/src/main/java/cn/keking/web/controller/FileController.java
+++ b/server/src/main/java/cn/keking/web/controller/FileController.java
@@ -15,8 +15,9 @@ import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;

 import java.io.*;
+import java.nio.charset.StandardCharsets;
 import java.util.*;
-import org.apache.commons.text.StringEscapeUtils;
+import org.springframework.web.util.HtmlUtils;

 /**
 *
@@ -39,7 +40,8 @@ public class FileController {
        //判断是否为IE浏览器的文件名，IE浏览器下文件名会带有盘符信息
        
        // escaping dangerous characters to prevent XSS
-        fileName = StringEscapeUtils.escapeHtml4(fileName);
+        fileName = HtmlUtils.htmlEscape(fileName, StandardCharsets.UTF_8.name());
+
        // Check for Unix-style path
        int unixSep = fileName.lastIndexOf('/');
        // Check for Windows-style path