🐛 fixed XssUtils

🐛 fixed XssUtils

src/main/java/com/rymcu/forest/util/XssUtils.java

@@ -17,10 +17,11 @@ import java.util.regex.Pattern;
  * @packageName com.rymcu.forest.util
  */
 public class XssUtils {
-    private static final String regex = "(<pre>[\\s|\\S]+?</pre>)|(<code>[\\s|\\S]+?</code>)";
+    private static final String REGEX_CODE = "(<pre>[\\s|\\S]+?</pre>)|(<code>[\\s|\\S]+?</code>)";
 
     /**
      * 滤除content中的危险 HTML 代码, 主要是脚本代码, 滚动字幕代码以及脚本事件处理代码
+     *
      * @param content 需要滤除的字符串
      * @return 过滤的结果
      */
@@ -49,33 +50,54 @@ public class XssUtils {
     }
 
     public static String filterHtmlCode(String content) {
-        if(StringUtils.isBlank(content)) {
+        if (StringUtils.isBlank(content)) {
             return content;
         }
         // 拿到匹配的pre标签List
-        List<String> resultFindAll = ReUtil.findAll(regex, content, 0, new ArrayList<>());
+        List<String> resultFindAll = ReUtil.findAll(REGEX_CODE, content, 0, new ArrayList<>());
         // size大于0，就做替换
         if (resultFindAll.size() > 0) {
-            // 生成一个待替换唯一字符串
+            String uniqueUUID = searchUniqueUUID(content);
-            String preTagReplace = UUID.randomUUID().toString() + System.currentTimeMillis();
+
-            // 判断替换字符串是否唯一
+            // 替换所有$为uniqueUUID
-            while (ReUtil.findAll(preTagReplace, content, 0, new ArrayList<>()).size() > 0) {
+            content = ReUtil.replaceAll(content, "\\$", uniqueUUID);
-                preTagReplace = UUID.randomUUID().toString() + System.currentTimeMillis();
+
-            }
+            // pre标签替换字符串
-            Pattern pattern = Pattern.compile(preTagReplace);
+            String replaceStr = uniqueUUID + uniqueUUID;
+
             // 替换pre标签内容
-            String preFilter = ReUtil.replaceAll(content, regex, preTagReplace);
+            String preFilter = ReUtil.replaceAll(content, REGEX_CODE, replaceStr);
+
             // 拦截xss
             final String[] filterResult = {replaceHtmlCode(preFilter)};
 
             // 依次将替换后的pre标签换回来
-            resultFindAll.forEach(obj -> filterResult[0] = ReUtil.replaceFirst(pattern, filterResult[0], obj));
+            Pattern pattern = Pattern.compile(replaceStr);
-            return filterResult[0];
+            resultFindAll.forEach(obj -> {
+                obj = ReUtil.replaceAll(obj, "\\$", uniqueUUID);
+                filterResult[0] = ReUtil.replaceFirst(pattern, filterResult[0], obj);
+            });
+
+            // 将$换回来
+            return ReUtil.replaceAll(filterResult[0], uniqueUUID, "$");
         } else {
             return replaceHtmlCode(content);
         }
     }
 
+    /**
+     * @param content 待查找内容
+     * @return
+     */
+    public static String searchUniqueUUID(String content) {
+        // 生成一个待替换唯一字符串
+        String uniqueUUID = UUID.randomUUID().toString();
+        // 判断替换字符串是否唯一
+        while (ReUtil.findAll(uniqueUUID, content, 0, new ArrayList<>()).size() > 0) {
+            uniqueUUID = UUID.randomUUID().toString();
+        }
+        return uniqueUUID;
+
+    }
+
 }
-
-

src/test/java/com/rymcu/forest/utils/TestFileMd5.java

@@ -1,30 +0,0 @@
-package com.rymcu.forest.utils;
-
-import org.junit.jupiter.api.Test;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.core.io.Resource;
-import org.springframework.util.DigestUtils;
-
-import static org.junit.jupiter.api.Assertions.assertEquals;
-
-// 仅运行指定类
-@SpringBootTest(classes = TestFileMd5.class)
-public class TestFileMd5 {
-
-
-    @Value("classpath:1.txt")
-    private Resource testFile;
-
-    /**
-     * c6c26c7e8a5eb493b14e84bd91df60e3
-     * d41d8cd98f00b204e9800998ecf8427e
-     *
-     * @throws Exception
-     */
-    @Test
-    public void test() throws Exception {
-        String md5 = DigestUtils.md5DigestAsHex(testFile.getInputStream());
-        assertEquals("202cb962ac59075b964b07152d234b70", md5);
-    }
-}