diff --git a/src/main/java/com/jflyfox/modules/front/controller/ArticleController.java b/src/main/java/com/jflyfox/modules/front/controller/ArticleController.java index 6c004c5..4e5d84a 100644 --- a/src/main/java/com/jflyfox/modules/front/controller/ArticleController.java +++ b/src/main/java/com/jflyfox/modules/front/controller/ArticleController.java @@ -16,6 +16,7 @@ import com.jflyfox.modules.front.interceptor.FrontInterceptor; import com.jflyfox.modules.front.service.FrontCacheService; import com.jflyfox.util.StrUtils; +import com.jflyfox.util.extend.HtmlUtils; /** * 文章管理 @@ -61,6 +62,12 @@ public void index() { new FrontCacheService().addArticleCount(article); } + // Fix for CVE-2022-33113... + // HtmlUtils.escapeHtml() is applied for content and title... + // This utility function helps to escape the characters in a String using HTML entities + if (article.getTitle().equals(HtmlUtils.unescapeHtml(article.getTitle()))) { + article.setTitle(HtmlUtils.escapeHtml(article.getTitle())); + } setAttr("item", article); // seo:title优化 @@ -70,6 +77,14 @@ public void index() { // List taglist = new FrontCacheService().getTagsByArticle(articleId); List taglist = TbTags.dao.find("select * from tb_tags " // + "where article_id = ? order by create_time desc ", articleId); + // Fix for CVE-2022-33113... + // HtmlUtils.escapeHtml() is applied for all keywords retrieved... + // This utility function helps to escape the characters in a String using HTML entities + for(TbTags tag: taglist) { + if (tag.getTagname().equals(HtmlUtils.unescapeHtml(tag.getTagname()))) { + tag.setTagname(HtmlUtils.escapeHtml(tag.getTagname())); + } + } setAttr("taglist", taglist); // 评论 diff --git a/src/main/java/com/jflyfox/modules/front/controller/PersonController.java b/src/main/java/com/jflyfox/modules/front/controller/PersonController.java index b439a5b..9363c0c 100644 --- a/src/main/java/com/jflyfox/modules/front/controller/PersonController.java +++ b/src/main/java/com/jflyfox/modules/front/controller/PersonController.java @@ -56,7 +56,7 @@ public void index() { + " where " + getPublicWhere() // + " and t.create_id = ? and tf.site_id = ? " // + " order by t.sort,t.create_time desc", user.getUserid(), getSessionSite().getSiteId()); - setAttr("page", articles); + setAttr("page", escapeHtmlInArticles(articles)); // 显示50个标签 if (articles.getTotalRow() > 0) { @@ -95,7 +95,7 @@ public void article() { + " where " + getPublicWhere() // + " and t.create_id = ? and tf.site_id = ? " // + " order by t.sort,t.create_time desc", user.getUserid(), getSessionSite().getSiteId()); - setAttr("page", articles); + setAttr("page", escapeHtmlInArticles(articles)); // 显示50个标签 if (articles.getTotalRow() > 0) { @@ -135,7 +135,7 @@ public void articlelike() { + " left join tb_articlelike al on al.article_id = t.id" + " where " + getPublicWhere() // + " and al.create_id = ? and tf.site_id = ? " // + " order by t.sort,t.create_time desc", user.getUserid(), getSessionSite().getSiteId()); - setAttr("page", articles); + setAttr("page", escapeHtmlInArticles(articles)); // 显示50个标签 if (articles.getTotalRow() > 0) { @@ -258,9 +258,13 @@ public void saveblog() { content = JFlyFoxUtils.delScriptTag(content); title = HtmlUtils.delHTMLTag(title); tags = HtmlUtils.delHTMLTag(tags); - model.setContent(content); - model.setTitle(title); - + + // Fix for CVE-2022-33113... + // HtmlUtils.escapeHtml() is applied for title and tags variable... + // This utility function helps to escape the characters in a String using HTML entities + title = HtmlUtils.escapeHtml(title); + tags = HtmlUtils.escapeHtml(tags); + // 这里没有必要提示太精准~因为前台有验证~绕过的都不是好人哦 if (content == null || HtmlUtils.delHTMLTag(content).length() > 2000 // || title == null || title.length() > 200 // @@ -459,7 +463,7 @@ public void view() { + " where " + getPublicWhere() // + " and t.create_id = ? and tf.site_id = ? " // + " order by t.sort,t.create_time desc", userid, getSessionSite().getSiteId()); - setAttr("page", articles); + setAttr("page", escapeHtmlInArticles(articles)); // 显示50个标签 if (articles.getTotalRow() > 0) { @@ -478,6 +482,21 @@ public void view() { } + protected Page escapeHtmlInArticles(Page articles) { + // Fix for CVE-2022-33113... + // HtmlUtils.escapeHtml() is applied for title of all article elements... + // This utility function helps to escape the characters in a String using HTML entities + if (articles.getTotalRow() > 0) { + for (TbArticle article : articles.getList()) { + //for now, we have applied escape HTML only for title field... to be extended for other fields if required in future + if (article.getTitle().equals(HtmlUtils.unescapeHtml(article.getTitle()))) { + article.setTitle(HtmlUtils.escapeHtml(article.getTitle())); + } + } + } + return articles; + } + protected Page tags() { return new FrontCacheService().getTags(new Paginator(1, 50), getSessionSite().getSiteId()); } diff --git a/src/main/java/com/jflyfox/util/extend/HtmlUtils.java b/src/main/java/com/jflyfox/util/extend/HtmlUtils.java index 2982214..03de415 100644 --- a/src/main/java/com/jflyfox/util/extend/HtmlUtils.java +++ b/src/main/java/com/jflyfox/util/extend/HtmlUtils.java @@ -20,6 +20,8 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; +import org.apache.commons.lang.StringEscapeUtils; + /** * html处理 * @@ -124,4 +126,26 @@ public static String delSpecialCode(String content) { return content; } + /** + * Escapes the characters in a String using HTML entities + * For example: "bread" & "butter" becomes: "bread" & "butter". + * + * @param plainHtmlString (the String to escape, may be null) + * @return a new escaped String, null if null string input + */ + public static String escapeHtml(String plainHtmlString) { + return StringEscapeUtils.escapeHtml(plainHtmlString); + } + + /** + * Unescapes a string containing entity escapes to a string containing the actual Unicode characters corresponding to the escapes. + * For example, the string "<Français>" will become "". + * + * @param escapedHtmlString (the String to unescape, may be null) + * @return a new unescaped String, null if null string input + */ + public static String unescapeHtml(String escapedHtmlString) { + return StringEscapeUtils.unescapeHtml(escapedHtmlString); + } + }