From f757438d1b5977982961c48ecc1375e4fffa13b2 Mon Sep 17 00:00:00 2001
From: Charles7c <charles7c@126.com>
Date: Tue, 16 Apr 2024 22:39:34 +0800
Subject: [PATCH] =?UTF-8?q?refactor(web/xss):=20=E4=BC=98=E5=8C=96=20XSS?=
 =?UTF-8?q?=20=E8=BF=87=E6=BB=A4=E9=83=A8=E5=88=86=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../web/autoconfigure/xss/XssFilter.java      |  2 +-
 .../web/autoconfigure/xss/XssProperties.java  |  4 +-
 .../xss/XssServletRequestWrapper.java         | 43 ++++++++-----------
 .../continew/starter/web/enums/XssMode.java   |  7 +--
 4 files changed, 24 insertions(+), 32 deletions(-)

diff --git a/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssFilter.java b/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssFilter.java
index 413f521d..642ef9eb 100644
--- a/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssFilter.java
+++ b/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssFilter.java
@@ -55,7 +55,7 @@ public class XssFilter implements Filter {
                          FilterChain filterChain) throws IOException, ServletException {
         // 未开启 XSS 过滤，则直接跳过
         if (servletRequest instanceof HttpServletRequest request && xssProperties.isEnabled()) {
-            // 放行路由：忽略 XSS 过滤（）
+            // 放行路由：忽略 XSS 过滤
             List<String> excludePatterns = xssProperties.getExcludePatterns();
             if (CollectionUtil.isNotEmpty(excludePatterns) && isMatchPath(request.getServletPath(), excludePatterns)) {
                 filterChain.doFilter(request, servletResponse);
diff --git a/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssProperties.java b/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssProperties.java
index c456b676..89df5fd6 100644
--- a/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssProperties.java
+++ b/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssProperties.java
@@ -52,9 +52,7 @@ public class XssProperties {
     private List<String> excludePatterns = new ArrayList<>();
 
     /**
-     * xss过滤方式
-     * clean : 删除xss匹配标签 （默认）
-     * escape ： 转义xss匹配标签
+     * XSS 模式
      */
     private XssMode mode = XssMode.CLEAN;
 
diff --git a/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssServletRequestWrapper.java b/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssServletRequestWrapper.java
index 707b9b76..0fb1fb8b 100644
--- a/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssServletRequestWrapper.java
+++ b/continew-starter-web/src/main/java/top/continew/starter/web/autoconfigure/xss/XssServletRequestWrapper.java
@@ -18,15 +18,14 @@ package top.continew.starter.web.autoconfigure.xss;
 
 import cn.hutool.core.collection.CollectionUtil;
 import cn.hutool.core.io.IoUtil;
-import cn.hutool.core.util.ArrayUtil;
-import cn.hutool.core.util.EscapeUtil;
-import cn.hutool.core.util.ReUtil;
-import cn.hutool.core.util.StrUtil;
+import cn.hutool.core.util.*;
 import cn.hutool.http.HtmlUtil;
+import cn.hutool.http.Method;
 import jakarta.servlet.ReadListener;
 import jakarta.servlet.ServletInputStream;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletRequestWrapper;
+import top.continew.starter.core.constant.StringConstants;
 import top.continew.starter.web.enums.XssMode;
 
 import java.io.BufferedReader;
@@ -38,27 +37,25 @@ import java.util.List;
 /**
  * 针对 XssServletRequest 进行过滤的包装类
  *
- * @author whh
+ * @author whhya
  * @since 2.0.0
  */
 public class XssServletRequestWrapper extends HttpServletRequestWrapper {
 
-    private String body = "";
-
-    private final static String ESCAPE_MODE = "ESCAPE";
-    String[] method = {"POST", "PATCH", "PUT"};
-
     private final XssProperties xssProperties;
 
+    private String body = "";
+
     public XssServletRequestWrapper(HttpServletRequest request, XssProperties xssProperties) throws IOException {
         super(request);
         this.xssProperties = xssProperties;
-        if (StrUtil.containsAny(request.getMethod().toUpperCase(), method)) {
+        if (StrUtil.containsAny(request.getMethod().toUpperCase(), Method.POST.name(), Method.PATCH.name(), Method.PUT
+            .name())) {
             body = IoUtil.getReader(request.getReader()).readLine();
             if (StrUtil.isEmpty(body)) {
                 return;
             }
-            body = handleTag(body);
+            body = this.handleTag(body);
         }
     }
 
@@ -74,12 +71,12 @@ public class XssServletRequestWrapper extends HttpServletRequestWrapper {
 
     @Override
     public String getQueryString() {
-        return handleTag(super.getQueryString());
+        return this.handleTag(super.getQueryString());
     }
 
     @Override
     public String getParameter(String name) {
-        return handleTag(super.getParameter(name));
+        return this.handleTag(super.getParameter(name));
     }
 
     @Override
@@ -91,13 +88,13 @@ public class XssServletRequestWrapper extends HttpServletRequestWrapper {
         int length = values.length;
         String[] resultValues = new String[length];
         for (int i = 0; i < length; i++) {
-            resultValues[i] = handleTag(values[i]);
+            resultValues[i] = this.handleTag(values[i]);
         }
         return resultValues;
     }
 
     /**
-     * 对文本内容使用指定过滤模式
+     * 对文本内容进行 XSS 处理
      *
      * @param content 文本内容
      * @return 返回处理过后内容
@@ -106,24 +103,20 @@ public class XssServletRequestWrapper extends HttpServletRequestWrapper {
         if (StrUtil.isEmpty(content)) {
             return content;
         }
-        // 获取过滤模式
         XssMode mode = xssProperties.getMode();
-        //异常情况下mode为空，则默认用清空模式
-        if (StrUtil.isEmpty(mode.name())) {
-            return HtmlUtil.cleanHtmlTag(content);
-        }
-        // 如果是escape模式，则进行转义
-        if (mode.name().equals(ESCAPE_MODE)) {
+        // 转义
+        if (XssMode.ESCAPE.equals(mode)) {
             List<String> reStr = ReUtil.findAllGroup0(HtmlUtil.RE_HTML_MARK, content);
             if (CollectionUtil.isEmpty(reStr)) {
                 return content;
             }
             for (String s : reStr) {
-                content = content.replace(s, EscapeUtil.escapeHtml4(s).replace("\\", ""));
+                content = content.replace(s, EscapeUtil.escapeHtml4(s)
+                    .replace(StringConstants.BACKSLASH, StringConstants.EMPTY));
             }
             return content;
-
         }
+        // 清理
         return HtmlUtil.cleanHtmlTag(content);
     }
 
diff --git a/continew-starter-web/src/main/java/top/continew/starter/web/enums/XssMode.java b/continew-starter-web/src/main/java/top/continew/starter/web/enums/XssMode.java
index 4ccbaa11..1471a504 100644
--- a/continew-starter-web/src/main/java/top/continew/starter/web/enums/XssMode.java
+++ b/continew-starter-web/src/main/java/top/continew/starter/web/enums/XssMode.java
@@ -17,7 +17,7 @@
 package top.continew.starter.web.enums;
 
 /**
- * API 类型枚举
+ * XSS 模式枚举
  *
  * @author whhya
  * @since 2.0.0
@@ -25,11 +25,12 @@ package top.continew.starter.web.enums;
 public enum XssMode {
 
     /**
-     * 所有 API
+     * 清理
      */
     CLEAN,
+
     /**
-     * 分页
+     * 转义
      */
     ESCAPE,
 }
\ No newline at end of file