CVE-2022-33113 - Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.

src/main/java/com/jflyfox/modules/front/controller/ArticleController.java

@@ -16,6 +16,7 @@
 import com.jflyfox.modules.front.interceptor.FrontInterceptor;
 import com.jflyfox.modules.front.service.FrontCacheService;
 import com.jflyfox.util.StrUtils;
+import com.jflyfox.util.extend.HtmlUtils;
 
 /**
  * 文章管理
@@ -61,6 +62,12 @@ public void index() {
 				new FrontCacheService().addArticleCount(article);
 			}
 
+			// Fix for CVE-2022-33113...
+			// HtmlUtils.escapeHtml() is applied for content and title...
+			// This utility function helps to escape the characters in a String using HTML entities
+			if (article.getTitle().equals(HtmlUtils.unescapeHtml(article.getTitle()))) {
+				article.setTitle(HtmlUtils.escapeHtml(article.getTitle()));
+			}
 			setAttr("item", article);
 
 			// seo：title优化
@@ -70,6 +77,14 @@ public void index() {
 			// List<TbTags> taglist = new FrontCacheService().getTagsByArticle(articleId);
 			List<TbTags> taglist = TbTags.dao.find("select * from tb_tags " //
 					+ "where article_id = ? order by  create_time desc ", articleId);
+			// Fix for CVE-2022-33113...
+			// HtmlUtils.escapeHtml() is applied for all keywords retrieved...
+			// This utility function helps to escape the characters in a String using HTML entities
+			for(TbTags tag: taglist) {
+				if (tag.getTagname().equals(HtmlUtils.unescapeHtml(tag.getTagname()))) {
+					tag.setTagname(HtmlUtils.escapeHtml(tag.getTagname()));
+				}
+			}
 			setAttr("taglist", taglist);
 
 			// 评论

src/main/java/com/jflyfox/modules/front/controller/PersonController.java

@@ -56,7 +56,7 @@ public void index() {
 						+ " where " + getPublicWhere() //
 						+ " and t.create_id = ? and tf.site_id = ? " //
 						+ " order by t.sort,t.create_time desc", user.getUserid(), getSessionSite().getSiteId());
-		setAttr("page", articles);
+		setAttr("page", escapeHtmlInArticles(articles));
 
 		// 显示50个标签
 		if (articles.getTotalRow() > 0) {
@@ -95,7 +95,7 @@ public void article() {
 						+ " where " + getPublicWhere() //
 						+ " and t.create_id = ? and tf.site_id = ? " //
 						+ " order by t.sort,t.create_time desc", user.getUserid(), getSessionSite().getSiteId());
-		setAttr("page", articles);
+		setAttr("page", escapeHtmlInArticles(articles));
 
 		// 显示50个标签
 		if (articles.getTotalRow() > 0) {
@@ -135,7 +135,7 @@ public void articlelike() {
 						+ " left join tb_articlelike al on al.article_id = t.id" + " where " + getPublicWhere() //
 						+ " and al.create_id = ? and tf.site_id = ? " //
 						+ " order by t.sort,t.create_time desc", user.getUserid(), getSessionSite().getSiteId());
-		setAttr("page", articles);
+		setAttr("page", escapeHtmlInArticles(articles));
 
 		// 显示50个标签
 		if (articles.getTotalRow() > 0) {
@@ -258,9 +258,13 @@ public void saveblog() {
 		content = JFlyFoxUtils.delScriptTag(content);
 		title = HtmlUtils.delHTMLTag(title);
 		tags = HtmlUtils.delHTMLTag(tags);
-		model.setContent(content);
-		model.setTitle(title);
-
+
+		// Fix for CVE-2022-33113...
+		// HtmlUtils.escapeHtml() is applied for title and tags variable...
+		// This utility function helps to escape the characters in a String using HTML entities
+		title = HtmlUtils.escapeHtml(title);
+		tags = HtmlUtils.escapeHtml(tags);
+
 		// 这里没有必要提示太精准~因为前台有验证~绕过的都不是好人哦
 		if (content == null || HtmlUtils.delHTMLTag(content).length() > 2000 //
 				|| title == null || title.length() > 200 //
@@ -459,7 +463,7 @@ public void view() {
 						+ " where  " + getPublicWhere() //
 						+ " and t.create_id = ? and tf.site_id = ? " //
 						+ " order by t.sort,t.create_time desc", userid, getSessionSite().getSiteId());
-		setAttr("page", articles);
+		setAttr("page", escapeHtmlInArticles(articles));
 
 		// 显示50个标签
 		if (articles.getTotalRow() > 0) {
@@ -478,6 +482,21 @@ public void view() {
 
 	}
 
+	protected Page<TbArticle> escapeHtmlInArticles(Page<TbArticle> articles) {
+		// Fix for CVE-2022-33113...
+		// HtmlUtils.escapeHtml() is applied for title of all article elements...
+		// This utility function helps to escape the characters in a String using HTML entities
+		if (articles.getTotalRow() > 0) {
+			for (TbArticle article : articles.getList()) {
+				//for now, we have applied escape HTML only for title field... to be extended for other fields if required in future
+				if (article.getTitle().equals(HtmlUtils.unescapeHtml(article.getTitle()))) {
+					article.setTitle(HtmlUtils.escapeHtml(article.getTitle()));
+				}
+			}
+		}
+		return articles;
+	}
+
 	protected Page<TbTags> tags() {
 		return new FrontCacheService().getTags(new Paginator(1, 50), getSessionSite().getSiteId());
 	}

src/main/java/com/jflyfox/util/extend/HtmlUtils.java

@@ -20,6 +20,8 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import org.apache.commons.lang.StringEscapeUtils;
+
 /**
  * html处理
  * 
@@ -124,4 +126,26 @@ public static String delSpecialCode(String content) {
 		return content;
 	}
 
+	/**
+	 * Escapes the characters in a String using HTML entities
+	 * For example: "bread" & "butter" becomes: "bread" & "butter".
+	 *
+	 * @param plainHtmlString (the String to escape, may be null)
+	 * @return a new escaped String, null if null string input
+	 */
+	public static String escapeHtml(String plainHtmlString) {
+		return StringEscapeUtils.escapeHtml(plainHtmlString);
+	}
+
+	/**
+	 * Unescapes a string containing entity escapes to a string containing the actual Unicode characters corresponding to the escapes.
+	 * For example, the string "&lt;Fran&ccedil;ais&gt;" will become "<Français>".
+	 *
+	 * @param escapedHtmlString (the String to unescape, may be null)
+	 * @return a new unescaped String, null if null string input
+	 */
+	public static String unescapeHtml(String escapedHtmlString) {
+		return StringEscapeUtils.unescapeHtml(escapedHtmlString);
+	}
+
 }