From d52b21cc6afdef9b994ae879fbab5c8d199ce47c Mon Sep 17 00:00:00 2001
From: zhanghanlin <andyzhanghanlin@163.com>
Date: Fri, 26 Jun 2015 11:01:00 +0800
Subject: [PATCH] update XSS

---
 .../java/web/common/XSSRequestWrapper.java    | 21 +++++--------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/mybatis-spring-web/src/main/java/com/demo/java/web/common/XSSRequestWrapper.java b/mybatis-spring-web/src/main/java/com/demo/java/web/common/XSSRequestWrapper.java
index 9341fee..a59b1ba 100644
--- a/mybatis-spring-web/src/main/java/com/demo/java/web/common/XSSRequestWrapper.java
+++ b/mybatis-spring-web/src/main/java/com/demo/java/web/common/XSSRequestWrapper.java
@@ -5,6 +5,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 
+import org.springframework.web.util.HtmlUtils;
+
 public class XSSRequestWrapper extends HttpServletRequestWrapper {
 
     public XSSRequestWrapper(HttpServletRequest request) {
@@ -39,43 +41,30 @@ public String getHeader(String name) {
 
     private String stripXSS(String value) {
         if (value != null) {
-            // NOTE: It's highly recommended to use the ESAPI library and
-            // uncomment the following line to
-            // avoid encoded attacks.
-            // value = ESAPI.encoder().canonicalize(value);
-            // Avoid null characters
             value = value.replaceAll("", "");
-            // Avoid anything between script tags
             Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
             value = scriptPattern.matcher(value).replaceAll("");
-            // Avoid anything in a
-            // src="http://www.yihaomen.com/article/java/..." type of
-            // e­xpression
             scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
             value = scriptPattern.matcher(value).replaceAll("");
             scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
             value = scriptPattern.matcher(value).replaceAll("");
-            // Remove any lonesome </script> tag
             scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
             value = scriptPattern.matcher(value).replaceAll("");
-            // Remove any lonesome <script ...> tag
             scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
             value = scriptPattern.matcher(value).replaceAll("");
-            // Avoid eval(...) e­xpressions
             scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
             value = scriptPattern.matcher(value).replaceAll("");
-            // Avoid e­xpression(...) e­xpressions
             scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
             value = scriptPattern.matcher(value).replaceAll("");
-            // Avoid javascript:... e­xpressions
             scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
             value = scriptPattern.matcher(value).replaceAll("");
-            // Avoid vbscript:... e­xpressions
             scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
             value = scriptPattern.matcher(value).replaceAll("");
-            // Avoid onload= e­xpressions
             scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
             value = scriptPattern.matcher(value).replaceAll("");
+            scriptPattern = Pattern.compile("alert(.*?)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
+            value = scriptPattern.matcher(value).replaceAll("");
+            value = HtmlUtils.htmlEscape(value);
         }
         return value;
     }