From af0e0a110e7187bf008655f7510199a0c0b25ec4 Mon Sep 17 00:00:00 2001
From: Nymph2333 <498092988@qq.com>
Date: 星期一, 10 四月 2023 14:27:40 +0800
Subject: [PATCH] newInstance() 已弃用,使用clazz.getDeclaredConstructor().newInstance() This method propagates any exception thrown by the nullary constructor, including a checked exception. Use of this method effectively bypasses the compile-time exception checking that would otherwise be performed by the compiler. The Constructor.newInstance method avoids this problem by wrapping any exception thrown by the constructor in a (checked) InvocationTargetException. The call clazz.newInstance() can be replaced by clazz.getDeclaredConstructor().newInstance() The latter sequence of calls is inferred to be able to throw the additional exception types InvocationTargetException and NoSuchMethodException. Both of these exception types are subclasses of ReflectiveOperationException.
---
ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java | 41 ++++++++++++++++++++++++++++-------------
1 files changed, 28 insertions(+), 13 deletions(-)
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java
index 8989ca1..dda96c3 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java
@@ -22,7 +22,7 @@
// special HTML characters
TEXT['\''] = "'".toCharArray(); // 单引号
- TEXT['"'] = """.toCharArray(); // 单引号
+ TEXT['"'] = """.toCharArray(); // 双引号
TEXT['&'] = "&".toCharArray(); // &符
TEXT['<'] = "<".toCharArray(); // 小于号
TEXT['>'] = ">".toCharArray(); // 大于号
@@ -69,26 +69,37 @@
*/
private static String encode(String text)
{
- int len;
- if ((text == null) || ((len = text.length()) == 0))
+ if (StringUtils.isEmpty(text))
{
return StringUtils.EMPTY;
}
- StringBuilder buffer = new StringBuilder(len + (len >> 2));
+
+ final StringBuilder tmp = new StringBuilder(text.length() * 6);
char c;
- for (int i = 0; i < len; i++)
+ for (int i = 0; i < text.length(); i++)
{
c = text.charAt(i);
- if (c < 64)
+ if (c < 256)
{
- buffer.append(TEXT[c]);
+ tmp.append("%");
+ if (c < 16)
+ {
+ tmp.append("0");
+ }
+ tmp.append(Integer.toString(c, 16));
}
else
{
- buffer.append(c);
+ tmp.append("%u");
+ if (c <= 0xfff)
+ {
+ // issue#I49JU8@Gitee
+ tmp.append("0");
+ }
+ tmp.append(Integer.toString(c, 16));
}
}
- return buffer.toString();
+ return tmp.toString();
}
/**
@@ -144,9 +155,13 @@
public static void main(String[] args)
{
- String html = "alert('11111');";
- System.out.println(EscapeUtil.clean(html));
- System.out.println(EscapeUtil.escape(html));
- System.out.println(EscapeUtil.unescape(html));
+ String html = "<script>alert(1);</script>";
+ String escape = EscapeUtil.escape(html);
+ // String html = "<scr<script>ipt>alert(\"XSS\")</scr<script>ipt>";
+ // String html = "<123";
+ // String html = "123>";
+ System.out.println("clean: " + EscapeUtil.clean(html));
+ System.out.println("escape: " + escape);
+ System.out.println("unescape: " + EscapeUtil.unescape(escape));
}
}
--
Gitblit v1.9.2