xss转义

张帅
Commit cc91240aa84130ee1832463afbafdd5a4186c3ae 1 parent a2916c27
Showing 2 changed files with 44 additions and 1 deletions
grass/src/main/java/com/yohobuy/platform/grass/service/impl/GrassArticleServiceImpl.java
grass/src/main/java/com/yohobuy/platform/grass/util/HtmlUtils.java
--- a/grass/src/main/java/com/yohobuy/platform/grass/service/impl/GrassArticleServiceImpl.java
View file @cc91240
+++ b/grass/src/main/java/com/yohobuy/platform/grass/service/impl/GrassArticleServiceImpl.java
View file @cc91240
@@ -32,6 +32,7 @@ import com.yohobuy.platform.grass.cache.UserInfoCacheHelper;
 import com.yohobuy.platform.grass.service.IGrassArticleService;
 import com.yohobuy.platform.grass.service.IGrassRefreshCacheService;
 import com.yohobuy.platform.grass.task.TimerArticlePushJob;
+ import com.yohobuy.platform.grass.util.HtmlUtils;
 import com.yohobuy.platform.grass.util.MsgInformSceneEnum;
 import com.yohobuy.platform.model.common.PageResponseVO;
 import com.yohobuy.platform.model.grass.request.GrassArticleProductBo;
@@ -1923,7 +1924,7 @@ public class GrassArticleServiceImpl implements IGrassArticleService {
         if (StringUtils.isNotEmpty(req.getContent()) && 3 != sort) {
             GrassArticleBlock content = new GrassArticleBlock();
             content.setArticleId(articleId);
-             content.setContentData(getBlock(BLOCK_TEXT, req.getContent()));
+             content.setContentData(getBlock(BLOCK_TEXT, HtmlUtils.translate(req.getContent())));
             content.setCreateTime(now);
             content.setTemplateKey("text");
             content.setOrderBy(contentOrder);
--- a/grass/src/main/java/com/yohobuy/platform/grass/util/HtmlUtils.java 0 → 100644
View file @cc91240
+++ b/grass/src/main/java/com/yohobuy/platform/grass/util/HtmlUtils.java 0 → 100644
View file @cc91240
+ package com.yohobuy.platform.grass.util;
+ 
+ import com.google.common.collect.Maps;
+ import org.apache.commons.lang3.StringUtils;
+ 
+ import java.util.Map;
+ 
+ public class HtmlUtils {
+ 
+     private static final Map<String, String> BASIC_ESCAPE = Maps.newConcurrentMap();
+ 
+     static {
+ //        BASIC_ESCAPE.put("\"","&quot;"); // " - double-quote
+ //        BASIC_ESCAPE.put("&", "&amp;");     // & - ampersand
+         BASIC_ESCAPE.put("<", "&lt;");    // < - less-than
+         BASIC_ESCAPE.put(">", "&gt;");    // > - greater-than
+         BASIC_ESCAPE.put("∗", "&lowast;");
+     };
+ 
+     public static String translate(String input){
+         if(StringUtils.isEmpty(input)){
+             return input;
+         }
+         int length = input.length();
+         StringBuilder sb = new StringBuilder();
+         for (int i=0; i < length; i++){
+             char c = input.charAt(i);
+             sb.append(covert(c));
+         }
+ 
+         return sb.toString();
+     }
+ 
+     private static  String covert(char c){
+         for (Map.Entry<String, String> entry: BASIC_ESCAPE.entrySet()) {
+             if(entry.getKey().equals(String.valueOf(c)) ){
+                 return entry.getValue();
+             }
+         }
+         return String.valueOf(c);
+     }
+ }