From 279f96ffa4578e16fc1ab607da8b9cdc777b5b83 Mon Sep 17 00:00:00 2001
From: sgjj <995959152@qq.com>
Date: Wed, 13 May 2020 18:07:57 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0XSS=E8=BF=87=E6=BB=A4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../mingsoft/cms/action/web/MCmsAction.java   | 10 ++++----
 .../java/net/mingsoft/config/WebConfig.java   | 23 +++++++++----------
 src/main/webapp/templets/1/default/search.htm |  8 +++----
 3 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java b/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java
index 2ad8b959..3929bd27 100644
--- a/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java
+++ b/src/main/java/net/mingsoft/cms/action/web/MCmsAction.java
@@ -295,9 +295,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 
 		Map<String, Object> map = new HashMap<>();
 		// 读取请求字段
-		Map<String, String[]> field =  request.getParameterMap();
-		// 文章字段集合
-		Map<String, Object> articleFieldName = new HashMap<String, Object>();
+		Map<String, Object> field =  BasicUtil.assemblyRequestMap();
 		// 自定义字段集合
 		Map<String, String> diyFieldName = new HashMap<String, String>();
 		CategoryEntity column = null; // 当前栏目
@@ -330,9 +328,9 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 
 		// 遍历取字段集合
 		if (field != null) {
-			for (Map.Entry<String, String[]> entry : field.entrySet()) {
+			for (Map.Entry<String, Object> entry : field.entrySet()) {
 				if (entry != null) {
-					String value = entry.getValue()[0]; // 处理由get方法请求中文乱码问题
+					String value = entry.getValue().toString(); // 处理由get方法请求中文乱码问题
 					if (ObjectUtil.isNull(value)) {
 						continue;
 					}
@@ -380,7 +378,7 @@ public class MCmsAction extends net.mingsoft.cms.action.BaseAction {
 		} catch (IOException e1) {
 			e1.printStackTrace();
 		}
-		Map<String, Object> searchMap = BasicUtil.assemblyRequestMap();
+		Map<String, Object> searchMap = field;
 		searchMap.forEach((k,v)->{
 			//sql注入过滤
 			if(sqlFilter(v.toString())){
diff --git a/src/main/java/net/mingsoft/config/WebConfig.java b/src/main/java/net/mingsoft/config/WebConfig.java
index 1a0d0ef0..49d86049 100644
--- a/src/main/java/net/mingsoft/config/WebConfig.java
+++ b/src/main/java/net/mingsoft/config/WebConfig.java
@@ -89,18 +89,17 @@ public class WebConfig implements WebMvcConfigurer {
 		beanTypeAutoProxyCreator.setInterceptorNames("druidStatInterceptor");
 		return beanTypeAutoProxyCreator;
 	}
-//	XSS过滤器
-//    @Bean
-//    public FilterRegistrationBean xssFilterRegistration() {
-//        XSSEscapeFilter xssFilter = new XSSEscapeFilter();
-//        FilterRegistrationBean registration = new FilterRegistrationBean(xssFilter);
-//        xssFilter.excludes.add(".*file/upload.do");
-//        xssFilter.excludes.add(".*/jsp/editor.do");
-//        xssFilter.excludes.add(".*/?(jpg|js|css|gif|png|ico)$");
-//        xssFilter.excludes.add("/");
-//        registration.addUrlPatterns("/*");
-//        return registration;
-//    }
+	//XSS过滤器
+    @Bean
+    public FilterRegistrationBean xssFilterRegistration() {
+        XSSEscapeFilter xssFilter = new XSSEscapeFilter();
+        FilterRegistrationBean registration = new FilterRegistrationBean(xssFilter);
+        xssFilter.includes.add(".*/search.do");
+        registration.setName("XSSFilter");
+        registration.addUrlPatterns("/*");
+        registration.setOrder(Ordered.HIGHEST_PRECEDENCE);
+        return registration;
+    }
 
 	/**
 	 * RequestContextListener注册
diff --git a/src/main/webapp/templets/1/default/search.htm b/src/main/webapp/templets/1/default/search.htm
index 4bacfd72..094e9699 100644
--- a/src/main/webapp/templets/1/default/search.htm
+++ b/src/main/webapp/templets/1/default/search.htm
@@ -12,7 +12,7 @@
             <div class="ms-content-main-list" id="ms-content-search">
                 <div class="ms-content-main-div">
                     <div class="ms-content-main-div-prompt">您搜索的关键字
-                        <span>{ms:search.basic_title/}</span>
+                        <span>{ms:search.content_title/}</span>
                         <!-- 共7个结果 -->
                     </div>
                     <ul class="ms-content-main-ul">
@@ -55,12 +55,12 @@ new Vue({
   			pageNo = pageNo -1==0 ? 1 : pageNo-1;//上一页
   		}
   		window.location.href="{ms:global.host/}/cms/1/search.do?basic_title={ms:search.basic_title/}&pageNo="+pageNo;
-  		window.event.returnValue=false; 
+  		window.event.returnValue=false;
   	},
   	//首页和尾页
   	indexAndLast:function(pageNo){
   		window.location.href="{ms:global.host/}/cms/1/search.do?basic_title={ms:search.basic_title/}&pageNo="+pageNo;
-  		window.event.returnValue=false; 
+  		window.event.returnValue=false;
   	},
     },
  })
@@ -68,4 +68,4 @@ new Vue({
         $('.ms-content-main-page').remove();
         $('.ms-content-main-ul').before("<div class='ms-content-main-div-nothing'>没找到相关记录</div>")
     }
-</script>
\ No newline at end of file
+</script>