From bd09e5b11ccb425d2b280c96b98dc110b1bb2c59 Mon Sep 17 00:00:00 2001 From: RuoYi Date: Mon, 1 Nov 2021 15:02:47 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E5=AD=97=E7=AC=A6=E4=B8=B2?= =?UTF-8?q?=E6=97=A0=E6=B3=95=E8=A2=AB=E5=8F=8D=E8=BD=AC=E4=B9=89=E9=97=AE?= =?UTF-8?q?=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ruoyi/common/utils/html/EscapeUtil.java | 34 +++++++++++++------ 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java index 65fd7920f..dda96c32f 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java @@ -69,26 +69,37 @@ public class EscapeUtil */ private static String encode(String text) { - int len; - if ((text == null) || ((len = text.length()) == 0)) + if (StringUtils.isEmpty(text)) { return StringUtils.EMPTY; } - StringBuilder buffer = new StringBuilder(len + (len >> 2)); + + final StringBuilder tmp = new StringBuilder(text.length() * 6); char c; - for (int i = 0; i < len; i++) + for (int i = 0; i < text.length(); i++) { c = text.charAt(i); - if (c < 64) + if (c < 256) { - buffer.append(TEXT[c]); + tmp.append("%"); + if (c < 16) + { + tmp.append("0"); + } + tmp.append(Integer.toString(c, 16)); } else { - buffer.append(c); + tmp.append("%u"); + if (c <= 0xfff) + { + // issue#I49JU8@Gitee + tmp.append("0"); + } + tmp.append(Integer.toString(c, 16)); } } - return buffer.toString(); + return tmp.toString(); } /** @@ -145,11 +156,12 @@ public class EscapeUtil public static void main(String[] args) { String html = ""; + String escape = EscapeUtil.escape(html); // String html = "ipt>alert(\"XSS\")ipt>"; // String html = "<123"; // String html = "123>"; - System.out.println(EscapeUtil.clean(html)); - System.out.println(EscapeUtil.escape(html)); - System.out.println(EscapeUtil.unescape(html)); + System.out.println("clean: " + EscapeUtil.clean(html)); + System.out.println("escape: " + escape); + System.out.println("unescape: " + EscapeUtil.unescape(escape)); } }